11241100x80000000000000004294499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:02.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:02.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB82E71E4F8AC5055578F8ECA684AA4B,SHA256=562BF3A69CF8634E1DE543A7D1480B92F3D666A0D4E4446C6D25CE0BA666A873falsetrue 23542300x80000000000000001314182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:02.637{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C9384B4325D2CF3D7163375D164710,SHA256=07B5398D3AAEB8358AE2E1D91B2A307A3EC05FB8CA3EBDB4585021BA46DCA62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:03.652{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B073D847DF93204D8E163273D50D443,SHA256=A26F36A7CF3B1B73CA52792AFA45223D81BA2FB93AD088483EDF9B7EFCCFCA0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:03.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:03.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7BB70F034E8B8C28551B530FC945F95,SHA256=F48379C6F3EFDABB06B02E9BC52849C9D12647639CD13C10DEA91E287449D813falsetrue 354300x80000000000000001314185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:27:57.511{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:03.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DB6AFFBB8809DFC9CAC8AB18CF7F8AB,SHA256=3A12BA33D87CEF346E9F412FC953BE22214F350323495792018EDB00E3D82650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:03.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58120665A3A1532EEB339464090943A8,SHA256=D7459DAA9DFD88944C2D784F1D2CC865AFDEA3074A1F4D20C1FCDBF323A9DB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:04.668{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F86A0A4843488AAA813203F425E2F2,SHA256=4E210A94250BA18780B7A610C633E133CBF52E4E78F8148278F613B10FB769A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004294508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:27:52.639{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54653-false10.0.1.12-8000- 11241100x80000000000000004294507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5736D4D46F3CDFF62347DCA6427F0D4C,SHA256=35FFDFAE4DBFF29C5E1A88B95F84509770C3D6D5BEE24C8D813FF5CD5B6B0965falsetrue 11241100x80000000000000004294505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C6DEC54511C1C14FC2E2C59F0607FE92,SHA256=14851A471AA7822B68F66DB7B76B2CC0B033093F918E8ECEA1D4A2D0F968B807falsetrue 11241100x80000000000000004294503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:04.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F507F518A568A07C8CC5E2FCCB36389D,SHA256=ADDC4677CCE13655FE08BBC5257C55EBECA0D95803C0833EE807DBC1671C0788falsetrue 23542300x80000000000000001314188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:05.699{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25C80456C67C1711856086CFA42E2BC,SHA256=60F07F345324CF436E1A9EDAD4A96B42E5A2C4C9F07BE56A4FEA193734D8EABB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D580FAF3B1AC6D4845DD5886C57AB61,SHA256=0C5A8D5F495BC046F6169AADD451C00C11077CE64B5A4A711BD6C7354D6C0E3Bfalsetrue 11241100x80000000000000004294512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A134E7C0B58F2E4F044D6D4BFEC5D79A,SHA256=6F7E6B509D6DB632D507EE52A40B2017F4A6B8191C32B26424191BA3172E266Efalsetrue 11241100x80000000000000004294510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:05.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A54071DFEBBB9D4872A3122D63CB66C,SHA256=4308F9FFFBC0F5E7FFF9811F97B328A04F96D61899C1D4003033166843B18C2Efalsetrue 23542300x80000000000000001314189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:06.714{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD79FA1F20DB925E01C9F0915984C1B,SHA256=0721F67A69C58105CEE9CB0FC2DE78AAEDC30B03A60D6E429F0CF96E0E5E2F22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:06.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:06.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60790797E59DFA1152677ED36CE02664,SHA256=EFA8E9375132DDD82D495B0C04C53802C1F99BCCD01D07325C42EDB344803F98falsetrue 11241100x80000000000000004294516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:06.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:06.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A5815F435F512A6A3EE568A07EA05C,SHA256=AC0E2CE4A7E7890BC5DA28D8448DDBC6213942B342CEC736706D408547989153falsetrue 23542300x80000000000000001314190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:07.729{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF57545E1AB25A0A3EE7F79460702078,SHA256=8EB5C002C76CC6059E8FA82A6C2BA2A8100F9A2609A4AEDD850CBC94E05D252B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:07.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:07.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0314151161C1D408BA276DF4810816C3,SHA256=BD3D155D7F2FBAFC990E018ABE9EC13A93A0BEB7291A94B142FAF507F5486697falsetrue 23542300x80000000000000001314191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:08.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E8F198906ED9617E075A022E23B627,SHA256=49D5F3DF4BF31272DD79EFF9DDADE66F139A0BE022869701F1F0922E39BDA372,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:08.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:08.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0645583F80D354106A09741E9B09E55D,SHA256=71F3D41753059E2276C2D11D9EF723051ECC98A6AF1AA8EA1C4822ECEFE27C2Bfalsetrue 11241100x80000000000000004294522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:08.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:08.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E546C1CD7B460CAFC7FE540C576799B3,SHA256=F7717B3608CC43C47C80FC3AD414111A9B57B57D693C589E2F20A27703E0CC16falsetrue 354300x80000000000000004294531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:27:57.639{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54654-false10.0.1.12-8000- 11241100x80000000000000004294530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA87F18607F23639DB0528C37A88FCE2,SHA256=918B0060EB43A3E8CCE1720127FA62FB7B3B59F819C87D44F9F83E2465061E8Afalsetrue 23542300x80000000000000001314195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:09.792{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A8EB79C210FA96BA45732A5545BE0D,SHA256=AD7F8233583B79144853E58BEA6B151FBA3A994C01D63805E65A0262AA8D9966,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:03.412{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59574-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:09.073{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7071F65CA6FDF61CFF7B89471E064BA2,SHA256=55AE7A7B2911012E7FCF4ABEA363890F60D9F829294D6D79CCE1B6DEF84AC99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:09.073{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DB6AFFBB8809DFC9CAC8AB18CF7F8AB,SHA256=3A12BA33D87CEF346E9F412FC953BE22214F350323495792018EDB00E3D82650,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7005A94D9F4C19EA866B1E204C4CF951,SHA256=36963C82FB83499392C1F49C36C3BE6818699EDCC5DEFFF1CE57093B698E550Bfalsetrue 11241100x80000000000000004294526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1F59FBFD3B6E8B06DCC34709600E8B8,SHA256=1924D69B926C0DFCF01AC21F9D26E708992EE585B7F48C206865F69DCC746896falsetrue 11241100x80000000000000004294537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C9009E875B6278C8F3532D4B9EDE720,SHA256=8A59DD97E011487E107070015A553BD4E254DE384CB68B8BFC5ABFCA0D3D2578falsetrue 11241100x80000000000000004294535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C5848CB8313D2CAFD873F012643E47,SHA256=BBAC96331BB70D00C914D68647DC37465B51BC7E675C93450F6BD2B8A887AD24falsetrue 23542300x80000000000000001314196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:10.824{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E6DAA848C5743BB9E65CF524D24C90,SHA256=AB430F480C91DF0999A24F41905534F9F7A2D06C4CC3393FC2FE5F91EE5ECAA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:09.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6C9659877B7ED7A7E400265D23F529B,SHA256=523327687C12ACE88DECF3BAC68B74E1EA1717092E14F3C27C147D1AD4A8002Dfalsetrue 23542300x80000000000000001314197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:11.871{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340ED3088367C453EC2A1309B67D6C8D,SHA256=9F9B4365314E202CA107EA9B83906B935A116F842CABF0E8025B341D12B19BF5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:11.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:11.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B4AFA05FBB1E35074854D341A5B62B,SHA256=3CACF79B8561913D6D112F34E8BD749A1A127F9F34C3CA45CD84DE802BF34BADfalsetrue 12241200x80000000000000004294542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:12.886{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 11241100x80000000000000004294541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:12.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:12.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB4F392F8F7A17EB1564A6830724DDF,SHA256=E8E651B06F23B7337690AF20F3B898890472E90355E1DFE26C8F5CF0570F5DE2falsetrue 23542300x80000000000000001314198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:12.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73F4731CFB0835338298D9694352014,SHA256=CA5C732CDD03511F3003A51709C4FBEC1358D272BE00860C0DC49280EA300138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:13.949{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFF4DD06A4BED7C261A84C6C3B0A731,SHA256=8381378F72ED72AD27FAB3303B5C632768B91A49761A938017F9AC57B7457322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:13.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:13.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8251AC047EF01D5272CA755DDE63A77A,SHA256=5E33766021C22817D4792997EA075D60C002CC2897F638C501DDA0D73DF0CFDFfalsetrue 11241100x80000000000000004294544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:13.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:13.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AC0C2898CA41CBD6B211740739AFDE3,SHA256=11E035932B59D8AA4D1EFD5657D74429E6AF06EAFF51575C9D691AD5C7C7914Afalsetrue 11241100x80000000000000004294554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB47AA4096A82335ECCBCE94AF8A3D75,SHA256=D2B4DC758EC202F1F3817D03DF0984FFFEE4A7A2ADC5883852F36AC2FAE52EDCfalsetrue 23542300x80000000000000001314200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:14.965{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C777A3CBC34B931E600BA88090BD1F,SHA256=1F8BB97C6D160CA2CD860479C5BEF999D38FA6BF1FFF231E6C4AB8A6199CB056,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.370{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.370{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27056A6E33A52ABFF31CCC97C062CBA,SHA256=51B1A4E8D03F736E8E9BFE07A7FD42402A57451D08E2BDD62ACB67E63E281081falsetrue 11241100x80000000000000004294550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.370{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.370{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7424F500B4B05E4235A5BA785E54A241,SHA256=EA1EBFFDCC2AB5C0B8671C74C67052B9FEE71A4CBFCBB59721B57DCACAA7FF63falsetrue 11241100x80000000000000004294548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01D9F154489C11B12674823CCD617932,SHA256=B9C8F07EE22CAFD6E2E4CA3D77FA1CCF0AB0609E721A1A95EAF08263A473F9BDfalsetrue 23542300x80000000000000001314204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:15.980{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAF658EDE2B8C1BC80F0F18DF916D39,SHA256=D0F67D3256552322962B8AE10F550266D3A40D8989BA7E95F7B5C2717B68CA2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:15.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:15.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30DFF4B4620B97A862D85972E0CF0D27,SHA256=8FE00B7E7A29CD7FD9119D8FB4BBF84AD953E917BF3C80C18117D8600A0387DEfalsetrue 354300x80000000000000004294557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:02.702{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54655-false10.0.1.12-8000- 11241100x80000000000000004294556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:15.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:15.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B7226FA2F5284D261880DA7B32FE1A5F,SHA256=BAC1B4FBF7D3CCE1481F003C929E969DF680DC4EC9B75F07BB1A59F4C756E8E2falsetrue 354300x80000000000000001314203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:09.413{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:15.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8D7F0D06D98E16A239E368B4D012B06,SHA256=32C24D500A05BDF3239DFA051BF47F4A7F16D69604A22B84632D5E577CE55205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:15.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7071F65CA6FDF61CFF7B89471E064BA2,SHA256=55AE7A7B2911012E7FCF4ABEA363890F60D9F829294D6D79CCE1B6DEF84AC99E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:16.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:16.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5811C7D5BE1DCEE3CBB4B70A1D444573,SHA256=FA8080F960E509B39F663E05E45548F3C466C7A9AFBA44BD189F0F40421BB9B0falsetrue 11241100x80000000000000004294563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:17.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:17.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F93045A3F12A822119AF594BC028652,SHA256=BFABE7BE38F5A5674F8BCE948DDEE8DC131A4BCF366E6511CC05AEA2B3804DD0falsetrue 23542300x80000000000000001314205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:17.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403A72F6740265FF8BB9D1E32B4BDBEB,SHA256=D19464F71FDE0325BB51BEB2CAD440F8220E0E8D5E0DDFAEEBF695C9DF760EA4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.745{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000004294568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.745{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=37C8A4297679933F443F41D405E214C8,SHA256=7EE1AF8B8D55C6BC734461709A4016B6511552C8674EBAD91F1CE9741F59EE97falsetrue 11241100x80000000000000004294567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7FAD53B17FDBEFC54B01F3EAACA28C3E,SHA256=2008D42F1D6FFC7BD6C759548CFCAC168E03FC76024C9AE2BBB59CB21A308C5Ffalsetrue 11241100x80000000000000004294565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:18.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF57E442008F2828DC4A2882DA29CE4,SHA256=1653A72BA94A76177D4B94173A2C247D2D11634DF188DC139741521F24B0B6DBfalsetrue 23542300x80000000000000001314206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:18.059{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A6D1BF75EF556891B554EB00BD3BDA,SHA256=54A8F672EDB4349DF2C9277966A37604D326A4E4994461BD528582FB10BCE62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:19.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEAFC737D834A0FB0A37C78891D72D9,SHA256=5B321939021F7535B6357CB7DBE0DC53B4551B1630EE5C6CC6252F98101BDF08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:19.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:19.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B3DEE9A56623AA81BC8131A53ECCB2,SHA256=2AF2A40BD20D889F649960FB8C4730CB4D0DDC115B4D23ACED5A11933EC49F9Bfalsetrue 11241100x80000000000000004294571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:19.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:19.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42232F5AB6645D7606B1DA484F985D5A,SHA256=D9E4B1AB8CF804EB19DD1F6FA3F6AD6A0C0F7BA510708D8A3405C0A24A456AC3falsetrue 534500x80000000000000004294642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.870{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004294641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.870{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004294640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.870{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004294639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.870{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004294638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004294634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004294632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000004294627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.761{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004294607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000004294605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000004294602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000004294601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004294600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004294599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000004294596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000004294591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.746{4DF467A6-03A4-6138-92B4-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:20.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000004294582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:08.577{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54656-false10.0.1.12-8000- 11241100x80000000000000004294581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.261{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.261{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E48A51B90F4C5BF8639082EA911B3F,SHA256=1EA884FB82B212A4229CEAC3CEC5E30A8DCA67884F85D58951D4F5A1F5C1B854falsetrue 23542300x80000000000000001314208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:20.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8962AB69F838C029A968FB1EE99992CA,SHA256=C78C64FF7B1D2AAD1A76F74E4F829BF140FBC05C8DE96507A6E1DFE770F99EEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004294579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=612F78E5C5DEF51193360B0D998B838B,SHA256=D8C12D3E3ED71FCA77A64DC5D89B1665377CA3750E20C0E606F423919A2E1A21falsetrue 11241100x80000000000000004294577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CD215C44AB5CC6ADED05BD23A70394E,SHA256=DB1CB1EFBDC07E8655B6D419F8E6F5B48D8C4162DD4BC23D72F76A432F12EF38falsetrue 11241100x80000000000000004294575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:20.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27056A6E33A52ABFF31CCC97C062CBA,SHA256=51B1A4E8D03F736E8E9BFE07A7FD42402A57451D08E2BDD62ACB67E63E281081falsetrue 11241100x80000000000000004294744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CD215C44AB5CC6ADED05BD23A70394E,SHA256=DB1CB1EFBDC07E8655B6D419F8E6F5B48D8C4162DD4BC23D72F76A432F12EF38falsetrue 11241100x80000000000000004294742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC327FEE3747B304CA0B66C20A1004,SHA256=AC76507BF88C91DB30647B1EEDAB5666233FAC5C5CAD23B250B5DB518D91A36Cfalsetrue 534500x80000000000000004294740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.558{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004294739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.558{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004294738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.542{4DF467A6-03A5-6138-93B4-00000000F001}480500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.542{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 23542300x80000000000000001314211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:21.137{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87B61FA7CB82395A450C28B6BDCB7A9,SHA256=758E01BFF10D0840017E842CCDF9A6712AF37002CADAA6A2EA794CEF3CBF7BC3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004294736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.542{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 13241300x80000000000000004294735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000004294734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000004294733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000004294732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000004294731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a448) 13241300x80000000000000004294730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x6da6abb1) 13241300x80000000000000004294729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a448) 13241300x80000000000000004294728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x6d95fb0e) 12241200x80000000000000004294727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000004294726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000004294725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000004294724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000004294723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000004294722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000004294721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000004294720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000004294719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000004294718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000004294717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000004294716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000004294715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000004294714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000004294713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000004294712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.495{4DF467A6-3F46-6132-0B00-00000000F001}6364364C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000004294711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000004294710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.495{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 734700x80000000000000004294709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004294705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004294703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.433{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004294687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004294685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004294673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 11241100x80000000000000004294671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26876DCA23FCD55A706A907FDF4DC42D,SHA256=4E527972583F037C6B2817872C01142093D46FA2A4D3ED018F7302168EF407D5falsetrue 10341000x80000000000000004294669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000004294664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.418{4DF467A6-03A5-6138-93B4-00000000F001}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:21.417{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 12241200x80000000000000004294655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000004294654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000004294653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004294652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000004294651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000004294650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000004294649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000004294648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000004294647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004294646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000004294645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:21.386{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x80000000000000004294644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:21.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E92E9AB4E796991170BFCCBE70D008F3,SHA256=2185F2650102DF52B0C556DB30259BC21CD2B53D31450E78D75B277A50AF4526falsetrue 23542300x80000000000000001314210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:21.105{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F05830F71DCF85F55A650C2C21DF32BF,SHA256=C958819235821015B8282460A3C75D0EABB9100CE9B00FAE84C9014EB8E04BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:21.105{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8D7F0D06D98E16A239E368B4D012B06,SHA256=32C24D500A05BDF3239DFA051BF47F4A7F16D69604A22B84632D5E577CE55205,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000004294860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.886{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.886{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004294858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.886{4DF467A6-03A6-6138-95B4-00000000F001}59206484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.886{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004294856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.886{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004294855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.777{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004294833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004294831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004294818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004294813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.762{4DF467A6-03A6-6138-95B4-00000000F001}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000004294804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.829{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54657-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000004294803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.829{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54657-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000004294802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8537F70B551A9083867DE1ACA5BB237D,SHA256=4C79C6EABBEE26D28DD5AB0C29EABDDFCEF3EBFE5DCA73E6291F322A41678AD8falsetrue 23542300x80000000000000001314213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:22.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A18F2D7075953DC39225E43CD64C63,SHA256=F455D88482BF46C161BAEB75BFEA738546A26DA2F0868A0A1BA6BF6E33C2E2F6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000004294800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.214{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004294799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.214{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004294798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.214{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004294797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.214{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004294796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004294792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004294790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.105{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004294774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004294773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000004294760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004294758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000004294753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:22.090{4DF467A6-03A6-6138-94B4-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:22.089{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001314212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:15.429{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:23.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139AA62AC93335962EE0531932E5A79F,SHA256=5DDDDA79B2576DFA812ABD529BF869B56FD98E30925E4285B0DE9325D1242739,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004294979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.964{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004294958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004294955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004294942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004294937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.949{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.949{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004294928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150856655C12402980476D136F5770D9,SHA256=3CE8F04C670B21AB04D59B268F12D605EA74A63129918E56F8B930F1C986E761falsetrue 11241100x80000000000000004294926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=311F7F4DF11BCEC5276ED40C876E99A2,SHA256=F9E8C6FE43F671811CD119EA435CA1E93DC60282C908AD5423A7ABFA4CCB849Afalsetrue 11241100x80000000000000004294924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004294923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3E63DC0CEF28A5588F9F0BCA1BB296,SHA256=93FF3A23401524EFA60E021D27AD38B9121093BFBBEA14B81D43EFC04F732E87falsetrue 354300x80000000000000004294922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.939{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54659-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000004294921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.939{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54659-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000004294920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.835{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local54658-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000004294919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:10.835{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54658-false10.0.1.14win-dc-291.attackrange.local389ldap 534500x80000000000000004294918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.558{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000004294917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.558{4DF467A6-03A7-6138-96B4-00000000F001}15724688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.558{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004294915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.558{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004294914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004294913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004294912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004294911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004294910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004294909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004294908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004294907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004294906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004294905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004294904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.449{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004294903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004294902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004294901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004294900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004294899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004294898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004294897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004294896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004294895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004294894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004294893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004294892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004294891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004294890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004294889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004294888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004294887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004294886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004294885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004294884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004294883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004294882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004294881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004294880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004294879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004294878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004294877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004294876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004294874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000004294871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.434{4DF467A6-03A7-6138-96B4-00000000F001}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:23.433{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004294862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:23.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=654E79720D0F5C69FE22571129294D11,SHA256=ACC2DE52E2BCEB1400E06D2185901802198E6EC05861BA3E34CB0DB16BB60FE7falsetrue 23542300x80000000000000001314215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:24.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C99AB3511C81F39A78484713E8476A,SHA256=8E09723C0DD6C16591C5AB3E43D0299E0AAB33E2F35989DD721C1245EA1A3E15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.917{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000004295049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.917{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000004295048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.620{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.620{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004295046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.605{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.605{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004295044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4CFB5162C982728A5E1A648B290E8E,SHA256=498E80FB8092AB1BC21F281840AB11E614F8B8ECC642A579EE884B1278227186falsetrue 11241100x80000000000000004295042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.511{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.511{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90028FD0C9CADF6F6646A83C2BFC3F6,SHA256=E2C38BEB321CD94DFB2F207F96958F158E928E647797FFE4B750412683C1D82Cfalsetrue 734700x80000000000000004295040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.495{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000004295023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004295006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004295002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004294999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004294998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000004294997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004294996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004294995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.481{4DF467A6-03A8-6138-98B4-00000000F001}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004294994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004294990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004294989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:28:24.480{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004294988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004294987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=549147D7AC4B2397906BF3AF58FFEAE2,SHA256=164C3917D942471CF657D42D6E92816AB79E434973C7747BDFA1E0DBE68F4EAEfalsetrue 11241100x80000000000000004294986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004294985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=035CB8DDFFFBC414069B628B9120A109,SHA256=F4C836A51943AF57381A9F7F792955CA471A82371CDA91B5741DED12CD655A95falsetrue 534500x80000000000000004294984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.074{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004294983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.074{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004294982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.074{4DF467A6-03A7-6138-97B4-00000000F001}47641008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004294981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.074{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004294980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:24.074{4DF467A6-03A7-6138-97B4-00000000F001}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004295056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644209F1C91C5EA42983CB7799410F6F,SHA256=10BD5A2BDC77AD512BE23AA6E3FFF5350B7048B8294484A416F5E0C29A310F8Dfalsetrue 23542300x80000000000000001314216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:25.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0CF2E16A26722D2085305AB7D907D8,SHA256=A5006C9BC4F2B23EDC1482BA4AB26BF63DE168ABF432E8CE72EC8C188F9E25B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0EE349A6C08784B067D3C55A57C0DF,SHA256=2DE684CB1D612C87D9E340A51FC6F5B3ABCD1DFD57773E754A3E15607421777Afalsetrue 11241100x80000000000000004295052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=702480C4E5F30F7CA07798EF17BB0C09,SHA256=8A83CD55045FA62986DE030B1B71DFD83227CA54ED2142D4924E0EED8A41EC87falsetrue 11241100x80000000000000004295063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2368B493225EAE62ACC998DD52897BB,SHA256=AAA2363941AA29032E345112066F7CDCDCE2A2BD8BAC8EAC8E93C48ABE844F99falsetrue 354300x80000000000000004295061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.342{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54660-false10.0.1.12-8089- 11241100x80000000000000004295060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8FAA25EFEB2D395DCF30B7A0255F88,SHA256=AD24B4DB88E7BFFB000013586C29D730EE329FA2DB25A5A0F71D4B68043ABBBEfalsetrue 23542300x80000000000000001314219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:26.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47E2A82CE29C1D0D30179ECD5E03F16,SHA256=5867BEF02A2F923B20DFFA4628F01DE8BEF897D655666C98E77F50F676C62FBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:26.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C3CB72013DFCF83657C4AA4D497E1BC,SHA256=362112E3E4CF0CB7A94DE82BBCAC0955129EE2608C02957D160E92C4912C6FF7falsetrue 23542300x80000000000000001314218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:26.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558171B6E0682E38E4973D6E480C0D93,SHA256=1BDAAAB68A7361B9D10A9678484BA24109EF4C90FD2F7953CBEFCF968B2E0CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:26.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F05830F71DCF85F55A650C2C21DF32BF,SHA256=C958819235821015B8282460A3C75D0EABB9100CE9B00FAE84C9014EB8E04BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:14.577{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54661-false10.0.1.12-8000- 11241100x80000000000000004295065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:27.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:27.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34B6301E39D12BE66273F056D73D401,SHA256=5DC5FE693FF4AC6E8FAE179C6835E61B07B0F2EFB05D95D1B92DFDAE8B960677falsetrue 354300x80000000000000001314221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:20.616{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:27.311{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEEE36665B6617C2CA9E81B2EFC75CC,SHA256=14E1F45D5456C17189762D33D381C639F2CA2A460F899D3A1D57830A3FDB2ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:28.326{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F305A8B5653BCB047F3AB91D6B2B840,SHA256=B353774F36D14F6A5D0D617F34F7A1948519F031EEF071C1924525CD2FAB019A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:28.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:28.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9C777E05475D2063CA1305C4AE5F0E,SHA256=32ABDAED3FE84C60C8C4E09EDDBC5375249E02ABDDACFE9FB21C33ABE3A320C4falsetrue 11241100x80000000000000004295068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:28.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:28.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9B2A0A6659896AD540A0417AC37E0CB,SHA256=CC7ECEB970B18D74BE4FBFCB7D9994761727C0611161A543AFB38BB611322AB4falsetrue 11241100x80000000000000004295074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:29.670{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:29.670{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C06C2FDBE0C53D553E619D548592AD4,SHA256=25399FB57C29DECEAFFB789682E33F5DAA8261B42C0BDC8A5659A9168C798A9Efalsetrue 10341000x80000000000000001314237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.904{AEE49BD1-03AD-6138-BBB0-00000000F101}57084360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03AD-6138-BBB0-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03AD-6138-BBB0-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.795{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03AD-6138-BBB0-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.780{AEE49BD1-03AD-6138-BBB0-00000000F101}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:29.342{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB94094E9A8187CF25E8B45F98F3CCD,SHA256=096F9483ACD49E73A4D2C09DD9685CDDCCE6F0DE97ABE1341989121D9D53ED98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:29.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:29.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4626095EDC35BD8CA3474144DE3BAF78,SHA256=4888A2E3DEE101AB9FA819B916A54891DBAAECBD32FB01613E5AE3DBC1BB3C0Dfalsetrue 11241100x80000000000000004295078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:30.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:30.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4395B33C101BB9AB12D270D3D71D54B8,SHA256=AE872E66DCACD75B1314E7C57477082E99020793C6B71C3DD73B86D9A6EA92ADfalsetrue 23542300x80000000000000001314252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.873{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558171B6E0682E38E4973D6E480C0D93,SHA256=1BDAAAB68A7361B9D10A9678484BA24109EF4C90FD2F7953CBEFCF968B2E0CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03AE-6138-BCB0-00000000F101}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-03AE-6138-BCB0-00000000F101}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.451{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03AE-6138-BCB0-00000000F101}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.437{AEE49BD1-03AE-6138-BCB0-00000000F101}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:30.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9C429041484942D5F8A048B371FACA,SHA256=F3A0BDA7235424BCA13FEEBA988D2CFF3419A7948886881D726CBD26A45B4881,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:30.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:30.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34672A7D63C300E9490DAE3C32E8CA6D,SHA256=E8A68D5E1CA670C769C0A85FC97D754B16CF917CCEA8B09C186BC788052BB663falsetrue 11241100x80000000000000004295084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527F0695735E8011304FFD363DE32E6,SHA256=E416B3DA9855733B02DD973634D9CB1EF70FD3BFE31039FC32E78EB1A801969Efalsetrue 23542300x80000000000000001314266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.420{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3CD61BCC9B0910D13E8628EFEB4526,SHA256=E778D59A25A2116A2EEE7B393CEC5C7C3FE6048CD3CED365FFE7771E0E04759A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=590F3393B4C3575272C4E791C4B74F21,SHA256=F639E8486F7651B38A53AA81022D6C859CEB039D42AE085E219FDD277893576Afalsetrue 11241100x80000000000000004295080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:31.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D275BFE2635295562BF4513C90342BB0,SHA256=F174388F5556B344B774234FBE2E1921138F47363B5007DAA9E49A9B8ECB0CFAfalsetrue 10341000x80000000000000001314265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03AF-6138-BDB0-00000000F101}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03AF-6138-BDB0-00000000F101}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.076{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03AF-6138-BDB0-00000000F101}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.061{AEE49BD1-03AF-6138-BDB0-00000000F101}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000004295087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:19.689{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54662-false10.0.1.12-8000- 11241100x80000000000000004295086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:32.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:32.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D502A35DB9FD04F7BD87F2B5B2F9A3,SHA256=18D6D0BBCC6E6348DF319B08ED1E86FC5739FE20773C3EFAF666897F854C9B49falsetrue 23542300x80000000000000001314269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:32.639{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D801B61BF566950B68F5FC4A614487,SHA256=1495A30ABEDB05C83818A114BE2AADB946614722625091C9E2694BA8E2B877DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:26.509{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:32.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=258E37F260F8787C576AB2D13DA0788E,SHA256=1C1F59DF48DE58C0EAF03548B3393FB2FD15CA26DC8F841D60B9B9A05F3680F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDED7CF3119203ACA401A59BA4903F4,SHA256=EF13A2820BC43592FCE5140559D7DFEC10AB1B18A4CC106E4BDD6CDB7C152D2Afalsetrue 23542300x80000000000000001314270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:33.654{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2C6767F6324DB358E06CA4CA048EB7,SHA256=21B5D388A25BDE997F3CCBF20E9262EAA5085A4D0EECBFA8BE0580ABB4E55349,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F91CA1A90A10FA2418234DD9A0FC4FD,SHA256=0D0829BFE959707101C53018A17F9615E1F88446E852DCD8982915E4748AE1A7falsetrue 11241100x80000000000000004295089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:33.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5796F778D85BD75158BB0271D25BDD1,SHA256=4C1D504B25460BE5855F417B8E2B10E9E03ECA4BAE01DFFAFEE65AEA7160735Afalsetrue 23542300x80000000000000001314271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:34.670{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94283CFA040C3EC6287F78FAD0122202,SHA256=7AE39333B12A9F8E37E41F72CFC93D8B037D5A60F4BBE17532E8AD786985E48A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:34.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:34.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80831D076F428D5295C34A491A2ED85D,SHA256=2B6EB7F9CF18A7FE5571E4EA3BC97CC4E1DB4896EDACE1C37E571965FCD19891falsetrue 11241100x80000000000000004295095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:34.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:34.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AF53372EEC7DECD0F86BF397EAA18BD,SHA256=F52C8E6188C634B4A119F47BE1A5A4F2A0879C43D100EFC81E1FA3ACA8F14C61falsetrue 11241100x80000000000000004295101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:35.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:35.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABA73A119EC492F1861D7C022C671B6,SHA256=AEE265D7DBD736BAF20811BED8F10E219CAC63C99762218FF39E5A30972153B5falsetrue 23542300x80000000000000001314272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:35.686{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B983A37EB0D5CCBA95CF0EFA9160EC5,SHA256=CB89A6EC049BF8A16E9D54731230CBC780BF7D3FFD6FCB1F25E98A06EF187655,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:35.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:35.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=590FAA272D6A8B23035E1771E6F5564E,SHA256=4F381A9669066FC5345DBF21DD68B242BC6A57460AABDEC32437FC099967C2D1falsetrue 11241100x80000000000000004295105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:36.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:36.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD8BCCC18B973E7D08FBBB930DD5ABC,SHA256=D20F9C505CE578B0A3AD3CE3F0C7B20F1C71695B0273F7B8B77C227D135705B4falsetrue 23542300x80000000000000001314273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:36.701{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F47706D4546B2979243092C4BD666CF,SHA256=D18E73D24284B63984752E97F8BDF4572315511F3526E85012503FDA8ED82134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:36.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:36.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B39A0D1469DD5B4E9371B57843686B98,SHA256=D8ADB983767D1319FEA3D8C7B9C048C56C61E9F75A2A6DAC54B43E431DD41655falsetrue 23542300x80000000000000001314277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:37.717{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB1DC238347552C0E507986E83768FD,SHA256=BDCB0E774F64A268753D33C72772D03A8F7F89152BF6C5C23EEE88CF931D6B8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:37.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:37.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B346E240F3C3ECF1D2FBEC7895312C31,SHA256=A52EAB762C67C3343F6A53467DBF7D6FDC0EAEC80D745C3BD3690A54EEA8868Cfalsetrue 11241100x80000000000000004295107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:37.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:37.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C1D151C813FCFBD612BA36A805BE82,SHA256=869D83169B2FCAA6D8938EBDF409CAFA0B5C151A27C12232148E95BA31826E87falsetrue 354300x80000000000000001314276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:31.587{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:37.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB54433BC1255F7FEE98F980DEE57FA3,SHA256=D019F03D138192C273E1FE2B3A0F6D8C410344F6AED6148851EB6A8CDE72D978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:37.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C3725A2D8D87728C93BDF2BE0B1A40E,SHA256=ED7ABAF2D3089BE9E01A5AB0018F014418D441F718BAE3394A89FCE0568B2DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:38.732{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A8CB45C864CBF3A1D5A45D09630632,SHA256=7B54B2F37D95DF10282C9B28E52397492A7BC686E4AD7A762B39F9B06C10787B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.984{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.984{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507616DFF71378CDE75A4A8DFA35F8B2,SHA256=00C14BDFDF02B2FFA1034B638EF02CA687C954A77B8BAF6F3CE4F793CAC3F05Ffalsetrue 11241100x80000000000000004295115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E15DBFB820F58692365A4152547F44C,SHA256=9A8FD64D5E5ED92FB00812B86C8F893E1A8B1D16BEED1C7BA5DC2E01DB1A640Ffalsetrue 23542300x80000000000000004295113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.455{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-6142MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000004295112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.454{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-61422021-09-08 00:28:38.453 11241100x80000000000000004295111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:38.453{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-61432021-09-08 00:28:38.453 354300x80000000000000004295110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:25.673{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54663-false10.0.1.12-8000- 23542300x80000000000000001314279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:39.732{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E204FF23AAB7D70CFF0A0A99187455C,SHA256=954788ED322CEC66901A56892B72CC4291049F0AE6BC25FC16C8EC1DB0BB17D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004295120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:39.469{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-6143MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000004295119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:39.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:39.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=579B6089FCE3625D18FA8037C079E45F,SHA256=0A9D3F103E15DEC47CC099E7A34424A2220AADDAC6DE8BD1FEB3267EB20A2942falsetrue 23542300x80000000000000001314280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:40.748{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B366D5C819DE54C072F9B7DE0835861,SHA256=A5273B59C42B234DBC85E1172B855CE5318FBC906E063A5BBBB40F591A2F76FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:40.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:40.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20636E2FF8D0C8F633DFB4234E286546,SHA256=B9F46308BB842DC44F8CC540FB22D8D827040520E716517DEC990C1FA24F8183falsetrue 11241100x80000000000000004295122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:40.001{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:40.001{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08FDD01063860D6E3A98EDF22BDE822,SHA256=06F93779F13A6654556BC9DC6D7EA47AB2968A05379A92DAFAABD3D7D6A8048Dfalsetrue 23542300x80000000000000001314281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:41.764{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A98942317E2CE17D310332F4098F8,SHA256=E8A9721F2DAA211907871D5470CA91A8A7E98965ACB6BAB37D292BB7390CE83B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ADD2C7D833FC854B3CAF0D139AA03C9,SHA256=96A8E1AD64809C263B20990C9C2220252B69551792F21522341BB9C258519760falsetrue 11241100x80000000000000004295128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5DE57324DFDBFBE100E38A3E873B383F,SHA256=01F234920CB304699A68AD2F0915F1B868EDE696A11AB3EA01C6417AB381E9A4falsetrue 11241100x80000000000000004295126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102588E33614C6C23EF19878E532921B,SHA256=E645D39E4B160251649D6577D39691FB578816625D8DE7408C0F97C2AEFA2AA3falsetrue 354300x80000000000000001314284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:36.602{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:42.779{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05CBC0CEC83D1B82954100135FB1C1A,SHA256=CDF260403EBA6201FAC849BD76DDF106DC2865A289F12CB72DFC53ED227B9F4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:42.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:42.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CC236635FFE8CF453E017E71A48DB2,SHA256=770C588EE9C8B4AFB5E884F1EBBB252168A6D7B2626D9075A4A2562193A7F8D0falsetrue 23542300x80000000000000001314282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:42.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB54433BC1255F7FEE98F980DEE57FA3,SHA256=D019F03D138192C273E1FE2B3A0F6D8C410344F6AED6148851EB6A8CDE72D978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:43.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F498479427CBE824C254EAAE6D3F38FA,SHA256=F28160090940B6434CD42DF996ACFABDC53516EBB53178693C4DDBECD9185F6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:43.516{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:43.516{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD34DAB187F7B173105DBE2BE4230C47,SHA256=7B4F6342E39C39603C0DA2CC40ECD78AA0DB54F9D65A53FBC64E50CAF30BEF27falsetrue 354300x80000000000000004295135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:30.675{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54664-false10.0.1.12-8000- 11241100x80000000000000004295134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:43.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:43.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D011A5688C7B240BFC4124E1E6BD63,SHA256=46887D99707E298090D60D537A0793E6F759BC2ECAA4D893F51BFC04D4335789falsetrue 23542300x80000000000000001314286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:44.811{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E49C83FBF3FED2E2F8D087F3F21D82,SHA256=4755557E5AB0B9C9E080202690CB94DA4ECF02491BA9372248F7FE013128B8BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:44.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:44.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C8DB31D9EA2A288D3B170A4F79E06E0,SHA256=C7A851DA70DAF86D75E9F281F64FEFD0A647E97F7DF9519184F2548D0AAA7F07falsetrue 11241100x80000000000000004295139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:44.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:44.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FB4DC4EB84A208B4A9AFE9D3CDD271,SHA256=CCC53B91657D26A489D26FF61F71A9395E1F3359B4643083F66B47EB7745A743falsetrue 10341000x80000000000000001314315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.986{AEE49BD1-03BD-6138-BFB0-00000000F101}34485732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03BD-6138-BFB0-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-03BD-6138-BFB0-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.873{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03BD-6138-BFB0-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.858{AEE49BD1-03BD-6138-BFB0-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.826{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15783A3DB8FB6C4D1E509A8FC73EB8D,SHA256=D9AC6BB991A133856CA7C25CADBCDA822FDA4E7B7CACB7E209518E85A0D1E320,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:45.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:45.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E633EE4EE4AA5A52B07F4EAA4C3AF0CB,SHA256=1B0B140B8903F05FADED01D50F0AFFCE0D953222E21B6E80D956041978CD3074falsetrue 11241100x80000000000000004295143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:45.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:45.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33332CEDB0C8B2EBE6F0E60806C6D310,SHA256=6855C39EAED32F4D0D881E15033B90FA942B76259CDE8D74D49112940E62537Afalsetrue 10341000x80000000000000001314300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.295{AEE49BD1-03BD-6138-BEB0-00000000F101}38045956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03BD-6138-BEB0-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-03BD-6138-BEB0-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.186{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03BD-6138-BEB0-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.171{AEE49BD1-03BD-6138-BEB0-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.861{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4730F16D021234D4AE7D75A857A7FBA8,SHA256=4BFE90A71CEF1E04D4794E077253CDA66AB8A0D71396CB3DB5D0CB219DC131AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50E49925E88FE689D90D7B605199C3D4,SHA256=D8FBF3654247EADD5CBA7A7A7CD3188D139D8918D26A0AE300CD28780E6FD40Dfalsetrue 11241100x80000000000000004295149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=496BFE78FED44FBCDD83195C9B4E4168,SHA256=12C1CEED8F73EE85BC8A667C0F815A7C6F8CC5C6EE45A3A5BE77462F6C1D9D17falsetrue 11241100x80000000000000004295147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:46.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACAF7E2846426F1BEF677E6C92394D1,SHA256=AF693C60748C17521C4BBBFAB8F88A48D9C8345F2F7C47FEC2EA028B8676DFDFfalsetrue 10341000x80000000000000001314330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.674{AEE49BD1-03BE-6138-C0B0-00000000F101}46804596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03BE-6138-C0B0-00000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03BE-6138-C0B0-00000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.549{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03BE-6138-C0B0-00000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.534{AEE49BD1-03BE-6138-C0B0-00000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:46.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AF3A9A00E906EE403DD3A0CC0D189BF,SHA256=9AE8EE0B409EAFDAB1D79AED588CBE2C6FFC2703C126110F5620FB40654C1FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:47.924{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48F157B29B57B08D53CF898347D0AF3,SHA256=5F8B43BAC17EBC88540C0B8C045CF0D4148E6EF64D567745953E750F49114EF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:47.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:47.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E6A65EEC69569D95F67A46C07DA8B,SHA256=A0DA41D85FED14D98967BD4181F9E96B42282ECA1760E1368D1FE56AFA3D7CEFfalsetrue 23542300x80000000000000001314332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:47.768{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B799E9C3359C683878F1BDABCB33E97D,SHA256=6B779D503CEE01756AC0C807E05CB5CBF2C32B1E7E6C07FB22BBE57E5980674A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:48.955{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59597F0291D0D7CF4B9EED3CDA31665,SHA256=861E19C07E7164F9A32CCB0EBD05BF3E77C6E7B341CDD19226D3830990C5B04C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:48.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:48.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E03A6728CF11DCB6F31841351B871955,SHA256=3AA212FE2E97EFDDDEB5D5A010BC9664EDE6A8015CC13D3FEA0DDFD4499C907Efalsetrue 354300x80000000000000004295156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:35.677{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54665-false10.0.1.12-8000- 11241100x80000000000000004295155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:48.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:48.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D1D5997244EAD98FC592938FCC1BD2,SHA256=804C977547C4D6F7A8CB45B35F9C6D50FEEEEF22CC5363CDE4EFDC71A199F7A8falsetrue 354300x80000000000000001314334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:42.434{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:49.986{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E334DEE68306D0A53EAB7E4CCBB6FD,SHA256=AED96F88F58A1F7028008B5E9C5DB4D4529B4A4659498F78ECA67E0D970D535B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:49.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:49.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E0C8666C790DB45209AAB5B0DC29607,SHA256=5448C46676AE1057CE86E122E447B7472F02BC8AAD54BF74DABB182E70E98F1Efalsetrue 11241100x80000000000000004295160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:49.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:49.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C322279BA7C7F682E89632662B0E21DE,SHA256=E396B8F38E93EF08C088E637AF4E38AB6BCCFEC3445A6DE51C04853CFB537E96falsetrue 11241100x80000000000000004295166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:50.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:50.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FC09CFDE9AA033118495C8214D1B688,SHA256=AB11E23FCC91EA38298069E3931115B5AB21AF96157BF46A69298330946C08CDfalsetrue 11241100x80000000000000004295164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:50.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:50.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089DCEA7059D420451C0C18FF8AE3653,SHA256=0DF02DC4038F974EBD445AEA7278094176A2D111368F6F1A57CEBFD4DE696483falsetrue 23542300x80000000000000001314337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:50.565{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:51.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:51.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748EE0F657F90E0FE2E4545515EF2D04,SHA256=FCA455C512BE13F280128FF339B3E7DC2C00D47564161CA5AF07074BAC58C310falsetrue 354300x80000000000000001314340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:45.903{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001314339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:51.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4FE796904AA0445930F08ADAF42E886,SHA256=DB128E84A542B1926C71818C995D2AFD92D5071D18B460E142A3684F7D1CC32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:51.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6382ED51F4D9A4E220EDD33CA5CBAAEC,SHA256=CC13DAAA9874EC6AA60B0BDF69F22574FA38B3B837F3622924EECE029185F7EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:51.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:51.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=729CE9298234E18B3BA350001DDCC744,SHA256=DBC656CA981AAEEFCC46A875CF19A9F949EB639A58EB49F087732A81614112D5falsetrue 11241100x80000000000000004295172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389A742036C7DF579743451135525CFC,SHA256=311D1E3ACB51C4A4FE2045B41A82FA863DFE3ABBDDA9E5125A58F6F111C70DFBfalsetrue 23542300x80000000000000001314341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:52.049{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4C3AAD4F0F0B329464017CF6112B74,SHA256=9018E9BCED5491FE4B1149BB98119DC1BF5D52E2CC30AE5F5607D24DD3C853C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6F37414AB571CF1232DE403A4A4DC87,SHA256=B0E7F346E3E6C236796CB3A93FA9797A49B7F0573E363D42554EC386718B2894falsetrue 354300x80000000000000004295179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:41.520{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54666-false10.0.1.12-8000- 11241100x80000000000000004295178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B517533397C2616A200DC08A3E103F4,SHA256=C5BD51EA790E47719C2DE11E8D9D1ADE2C63ECEF0583BC0184A5AB55071E11EBfalsetrue 23542300x80000000000000001314356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9EC46696116179B3D1C6D54DB7D67AE,SHA256=BE42B47F92A59B4F074E44C8F16FAC6AA7FD356D5EED7600857E303DB2918A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03C5-6138-C1B0-00000000F101}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03C5-6138-C1B0-00000000F101}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.112{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03C5-6138-C1B0-00000000F101}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.096{AEE49BD1-03C5-6138-C1B0-00000000F101}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.080{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DFFCA6ED2FB4C0A1CBCDEBE3F937DE,SHA256=2F0C5AF8FCEF5D638CF90FEE65281D08E4E5333D9F94109F432C010869BC68D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9819BE2C233357AF5D841A18BE82EB9D,SHA256=447BB13FD66F44FCE5179887DBC09FBCB8B16B1689EEA5529B1063CD360D5FA4falsetrue 11241100x80000000000000004295174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC12108A9CB9013AE415ED6B8394498C,SHA256=C9F283D138A239171FBD9215A816291CB6E3744CF9F56D90CEB7E399D6B15099falsetrue 23542300x80000000000000001314359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:54.471{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E7F4DF0FBCDDDACAE32EC4F7507753,SHA256=0E49F1DA5AA90633919A30E2B3E66C3E532B09F2E2117554CFAD0A9E52058151,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:47.466{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:54.096{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C641D8E3C35C9AD36E96D1A6837073,SHA256=100B357E502F4EAF603C40A019A11A096385E224EC946CCEB167260387E62516,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:54.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:54.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB45DC2EB9B4AF295C665FAAD7148094,SHA256=E819DF9FDFA6836FF440B570AF532FE12F0E74B26FEF081F4C95D1AD091EA6DFfalsetrue 11241100x80000000000000004295183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:54.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:54.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BA6C1D261DE9F10CCEA1641978B3A0,SHA256=D4FA7876502736BB8E4C06F34C3A76DCCC2FDFF1BF63135449AA62F367EEDACAfalsetrue 11241100x80000000000000004295189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:55.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:55.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A25B563177043B90C887281FDEE7551,SHA256=DFA1460444BDE011A17B426729057B9BC76CB7FFC2366D1267F372B28765898Efalsetrue 23542300x80000000000000001314360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:55.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29284EA7C495CB5DB6F51E0C875EBD5B,SHA256=A091E6A506B4FD25F2AC7FBC4A13353CE787F71E5C301C0602A32BD04EE06978,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:55.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:55.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F18A550B5FA6AFB20A0BA059305191F,SHA256=627DDF49E3F01D067A284B97E865E9333164A156F72FE880588712B9147FE939falsetrue 11241100x80000000000000004295193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:56.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:56.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F52712C95D5905674A38C506104B756,SHA256=C0C1BC5DA1E354C57B1E6A875DA666C7D93641DED38C9735506EFEDBDE4AA263falsetrue 23542300x80000000000000001314362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:56.705{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F690736E1B02A88383695916BC46B6EF,SHA256=9E7326BFB83E1C84EE59BFE7C67B8AAA74A6E6B748DD7ECD934DCC4ADF4BA730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:56.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A490CF947A3F9ED38237FF737DD56D,SHA256=04C7E9DA648C39CF526A2C38C2D9D1835A458B04385355F9A990223D5612946E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=04210A6A8BDBC49CA98582162BF91018,SHA256=C82A8DC72FBADE4E7F51116303C6F721A12C33EC4126EA7A6B3B4E56151D7A23falsetrue 11241100x80000000000000004295195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:57.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:57.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA103093678C50CC75E26D025818EA11,SHA256=8F2945DCC844105D80F8DCF475E6122D479644D024B401040F19545A1F708592falsetrue 23542300x80000000000000001314363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:57.174{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F680D0C766BEAD6127D8C2096E5154,SHA256=A57947B439E9C104619941B629E178E096F0084CF44F31D8C1491A4F487CA395,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:58.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:58.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B36A7CC5269C0B1A5AB192E891ADBF4C,SHA256=6D2BECDDBA1E5D0C6FA682CE85641C6D1180C7F0AF8D6D1D1E2C8B05FF261CB6falsetrue 11241100x80000000000000004295199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:58.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:58.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC7CF9373798496BBA7A9C81D3B3FE8,SHA256=8DAB53E942D79F03196A33E15688C2F6A484EE222AC7A08D8C0467A7E27F2D09falsetrue 23542300x80000000000000001314364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:58.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80AF23C061C76D229FA1FAAF55E709F,SHA256=A124004CA5ABCF673D35B39DF29E5B194B7508ACC20AE386799D77DBA99E6EA2,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000004295197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:58.065{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:28:58.065{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x80000000000000004295212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:47.567{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54668-false10.0.1.12-8000- 354300x80000000000000004295211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:47.505{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local54667-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004295210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:47.505{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local54667-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000004295209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000004295208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=628CEDA3DFDC666CC347DF30B30EAEE0,SHA256=31733A20CE540E745EB7E04D9CA90905B3998ADFBE5970701D76D7DC3FC6EA44falsetrue 23542300x80000000000000004295206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C550A1E3EE51EB8375419378712FA65,SHA256=2A941DF1B1B3E421742C0A1F8C26CAE258B52C29EBA8732418AB83AF130EC47Ffalsetrue 354300x80000000000000001314368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:53.481{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:59.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D121699B6B6786709694F82C450B51,SHA256=9163A7AC64594549E671A822427DB672DCA88C68CCC0F660539726E16F9B7F2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABC8FF6382672AAC5431D14C2CE1CC37,SHA256=BE9D077A4A499C5818861CABEB93B3EFF1881485814D8C20B03640C246209313falsetrue 11241100x80000000000000004295203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9819BE2C233357AF5D841A18BE82EB9D,SHA256=447BB13FD66F44FCE5179887DBC09FBCB8B16B1689EEA5529B1063CD360D5FA4falsetrue 23542300x80000000000000001314366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:59.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADEC99697AF595AABC8C14DFD988995,SHA256=3522C0F8566E9769384A99AD65B0564AE5C95CB270DF5BDF7870F5453C4DBA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:59.082{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-6133MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:00.877{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:00.877{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85D20F2C0886CAEB39CADD189E415939,SHA256=27CCE39A97B6F2FA92CCEE925A8BD9A2F9CC539F6BA894A74CAE206E86FF8DD5falsetrue 11241100x80000000000000004295214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:00.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:00.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403FD64A9D3927B416986B30117CAEFD,SHA256=74923CAF8AD50190C325354217FADA4BEAC2C6DA177311C5193BE6C129762934falsetrue 23542300x80000000000000001314370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:00.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6634165F0B8A863E11DD4094DFDBC2A,SHA256=6B56017C0D595DFFB9EA0787FBC5FAD401266FB960ED2960CB18ED9D81C77CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:00.096{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-6134MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:01.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6D110F07F3CBC42BB9A7786469B099,SHA256=4FAA300D69E3F339B38C1B8165789BEF5ECE71B22E014A313FA333FFC333A549,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:01.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:01.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABC8FF6382672AAC5431D14C2CE1CC37,SHA256=BE9D077A4A499C5818861CABEB93B3EFF1881485814D8C20B03640C246209313falsetrue 11241100x80000000000000004295218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:01.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:01.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3FF79CE0903E25D84C9DB83F6F0973FC,SHA256=E4942956CD513809FD755E0711F43F795244249BB1DC97DEBBC11051F4425C7Ffalsetrue 23542300x80000000000000001314372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:02.298{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C982769EF7051FAFBA8EBD3E6901818E,SHA256=50EF11640BB3D8E354844F02CCFA31AD079D2E218673F970E6E46E919EBA4C1D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000004295234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.627{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.612{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000004295232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000004295231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000004295230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000004295229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 00:29:02.612 12241200x80000000000000004295228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000004295227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000004295226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000004295225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000004295224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:02.612{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 00:29:02.612 12241200x80000000000000004295223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:02.612{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000004295222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:02.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:02.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F532BDC68BBB241BBC89986B9E0DF7F7,SHA256=C429483850480797A1ED2FDC7D7657A5ACEF00F79C75E279B5BA0FE3C1943FEAfalsetrue 23542300x80000000000000001314373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:03.345{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F836649B961719BD55551A4FEBCE45,SHA256=FCFC092976D05FDB99B7DD7AB3A6EB66F2D3C0B2F0B202FC98B6602888352054,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.069{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54671-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000004295246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54671-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000004295245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.064{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54670-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000004295244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.064{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54670-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000004295243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.052{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54669-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000004295242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:52.052{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54669-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000004295241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2520499BEFB9D0D54C3542AE26BDE11D,SHA256=B0C2FAFC1CEB741241AE96D0A1772D8CBC6C12BB1EB26B171F1A537B49A356D0falsetrue 11241100x80000000000000004295239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD8C74E588663B2D5901ADDE4027EBF3,SHA256=B249A7524C92F4B3E65C7151168994C9EA1028890A7086D470DAD6D4583AB7DFfalsetrue 12241200x80000000000000004295237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:03.643{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000004295236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:03.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDA2B16A9B2E76DDC554C759A59F092,SHA256=E21928ADB2098D6406C97FB6AC5423B9F182987E365E5630490102B338B46DCEfalsetrue 23542300x80000000000000001314374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:04.361{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E33D310EE89D256A83768E0531FBBF,SHA256=A594D235E6BB82F6FD3EE94808339B8DC3251FB8BF55A2FE5DFADF9023F1F46B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B9FB22EC67B11CCFE46DE8C0E3D08D8,SHA256=A9E9B38593AFF75499FECBE6CCFAAC9ADF6E790A8E0ABDD024A0E977DE9130FDfalsetrue 11241100x80000000000000004295251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AB3A97021FC5FCF5F632AF450646B79,SHA256=6841FA79CB4DFE3CA706C1231AC634FAAC15D100E6D4F91D59A20D36974C59F0falsetrue 11241100x80000000000000004295249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A68ABDDE0DE89DF26798B4E0CDC60F,SHA256=A0384B9B79357F641BE46A805314646C929C2F2173775D40B3DC434737E23305falsetrue 11241100x80000000000000004295257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:05.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:05.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=523327E95C272EE57BC6BC8E68A4B4AE,SHA256=4A413024BBF343EE6F5BE0B2D8B2FFB9A8709078242565D9D3E1FF6CF777B21Ffalsetrue 11241100x80000000000000004295255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:05.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:05.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578036884B8BDA8BD8AC57C34DA4C0C4,SHA256=901B4AF548D8C21FD0AED7228AF45AE69A5CA970B80B7C84D025ABAD340B281Ffalsetrue 354300x80000000000000001314379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:28:59.496{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:05.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568138510C0205B54ABE9CA84E8F44E5,SHA256=F052E5BD8BF807C7F140AE2165D7AD3230486115F8AE7E0BB5CD8885518AADB2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001314377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:29:05.251{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a448-0x87bb5407) 23542300x80000000000000001314376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:05.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28CD7C6F3E6B5C8CBA15BD331AF2EF8C,SHA256=E65C105C453B34DEB6BDFA07ADBC25C204639B4D51EDD8AA5ABD9D948D5154AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:05.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6957FAACBCF5AEA249E4CD7D3C4EEDB,SHA256=BD0EAA9EC2613798A664F274EBF983DD84C17ECBABB7DC65CB0E1D68E5FFCC6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:00.542{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x80000000000000001314380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:06.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9E19AA4A170C1C8068E4E32A49B03B,SHA256=B70B4DE8C41AAF2C06AFD602BACDD3BB5A01CAC33D59E1387B5405D524713D39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61ED1A03532FC6CBFC87993920C00B89,SHA256=DBE04E148E78574160F44F6F50708F2883B1DD2882AA9D2567CA1CDDA6F8DA51falsetrue 11241100x80000000000000004295262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.460{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.460{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72FEE5630D9477D605A0E689F511B193,SHA256=C29F83106088889E365FD41D42454AA20DE793827A701251223D0085B1BEC0AFfalsetrue 11241100x80000000000000004295260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:06.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2868B63498B22608164A6DC51539B85,SHA256=24D5F0587AF5B4DA02D7E9A50FF11322E57B5A5B9F101D91D0497CFC0BA64846falsetrue 354300x80000000000000004295258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:53.614{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54672-false10.0.1.12-8000- 23542300x80000000000000001314382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:07.429{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CBC66F471688FE64EA08E003C6DBC5,SHA256=C2317B6B3A3D42AF35392BA3F744006718F2C9610B9E98BF61C9A77FF7DE1227,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:07.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:07.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1BADE1C64379DBA0E146260259A812,SHA256=D2C2E31C64409AEEDB282E1BEC552A4684A60221157A381D4BEBDF2AE8602BEFfalsetrue 23542300x80000000000000001314383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:08.445{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7D254F9E4724FE034CC27DBCBFC7A1,SHA256=2E45A2A0F97AD6A7595C72EB1F6BB2D1C876428325C775DFC6587D3DD3248722,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:08.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:08.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3959F025D1CFAD8853B536D1A6A068D,SHA256=A247246702E8F83B30EFE464CEADF33048BBE293F646CD2A080AF7937F7FC376falsetrue 11241100x80000000000000004295268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:08.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:08.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F399F57D6506B292B4904181B7411383,SHA256=5FE83CBB52BA6D39A5783C6A23902F3BBF01DFF84C834A68606DE8BBE5C2BAEBfalsetrue 23542300x80000000000000001314384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:09.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFE7795AB4D48FA115B07184301A9D1,SHA256=52CCB059B5387413B4D44115545719764103DF9405E8DD6054B5201B764EE408,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:09.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:09.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=044BA6E72460877A3C37E1C24537E8F8,SHA256=1CCDC9C5364FC366D045AF2F5CFA68068ECF28FB535985F31BFCFF6EA5F13342falsetrue 11241100x80000000000000004295272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:09.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:09.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B1D597A5B1C8C0B047CFA95DBD93DD,SHA256=91F1926F98604D40092F3710C926BFEC607DDCA31AA4B824F1BC4D42805BA8ADfalsetrue 11241100x80000000000000004295278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:10.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:10.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3EB4E7214D2C6C0D2E8262DC0C6733C8,SHA256=58C42B4B413026826125E920BA1093CA7A72D2CC7CEDA380C15561049B8028E5falsetrue 11241100x80000000000000004295276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:10.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:10.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D93A3178BBADF1161974F0F0E34F16,SHA256=3CA9E3E52FA41831BA0EB9BC031B96DF6655802D123D9C751A3C99FF0CBDAD32falsetrue 23542300x80000000000000001314385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:10.476{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02DC2B037ADAEC9E8F031E4134EF9B7,SHA256=1DD7272CDD873335827EAB2CCD1977F478C9A5349768295E86584DA5296787AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D008905170F47E9D7197F87B8434779,SHA256=C754EA264719D95C9332392A0CF5C516426B5F6C8D70C5800E02DE7A149827F6falsetrue 11241100x80000000000000004295282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C2EB69563205C250FD4BAF96A2FA70,SHA256=1CEAD0CCEF94490AAEC4983F3EA1E6FB52F9A1896975C1C6B40980BA4964B19Ffalsetrue 23542300x80000000000000001314388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:11.491{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FCA29A963CBB3BAAF8222FC91C4871,SHA256=060F5B5FB447C89693DEE6928703FFCF2C5FBAA414CAF6ECC91B44CD0F916BA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:11.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D2F508973FEB576FA6DC01CD6E1E1B,SHA256=C356FDD6414DF13753468E99C208735AAD15B871A969579501E1CF9CEB0B0916falsetrue 23542300x80000000000000001314387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:11.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF9911EC8C37062BC13FAC5B215ACE2,SHA256=BC24655CB301EF6472BA9D010451810E67B38753FB45AB3188F815907E2A7C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:11.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28CD7C6F3E6B5C8CBA15BD331AF2EF8C,SHA256=E65C105C453B34DEB6BDFA07ADBC25C204639B4D51EDD8AA5ABD9D948D5154AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:12.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEC9475502492AFBC503692772E8610,SHA256=B05A289950738DEAA7CED107879421A1D935EA62B4FC9805194C49BF37696DAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:12.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:12.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E7D1A5058DA0C6F613F0ED96416D5,SHA256=F04396A962D50719B9DB2BE7A8071FF859A2D0A8EADEF2D1C7146F499A4036BEfalsetrue 354300x80000000000000004295285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:28:59.619{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54673-false10.0.1.12-8000- 354300x80000000000000001314389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:05.517{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:13.601{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA8809827F869DAC184B977FA6E6270,SHA256=E5C0BF2B3E45C302E672E89FC0D68833D929AD41768A4B226F13B8FD2B6B3987,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:13.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:13.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE9526ECD24F364C9C91325D69530595,SHA256=78E5FDC617EE2E94F436E8FEAB03C747D4810A8ECE2713E36A7B1170AFC307A6falsetrue 11241100x80000000000000004295289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:13.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:13.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8943787CB3069156F63983A111F7D15D,SHA256=0B5BC54AD21469151E836C20F24EF2DBC31587A1D64CC60AFB06890FC3DF6B05falsetrue 23542300x80000000000000001314392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:14.632{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0276D8C22E386F385261C1EC2B6788,SHA256=5E432BEA9CF2BCE60CD5248A5D9247DE9E62C325BB5ADB476840C09722BA7596,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:14.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:14.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA2A03F70249CDF9982BBF5C981A608E,SHA256=3651E5066EB7247E2C4F1F9DFD77CF7DAB6B0B05B4CAC660A01331D4E6AD2800falsetrue 11241100x80000000000000004295293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:14.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:14.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7FB90F913495C655BA98F07F94E09F,SHA256=3EA5587D2AFF72D851643CA737F0F69BEB162B0F542A4192B2B08369705BAC8Efalsetrue 23542300x80000000000000001314393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:15.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6167C5E1934AA02E7518A205DCA107D4,SHA256=F0D08116A68ED674D703A5D90200267A424AEB6DF2307246FD90CFA6B99DB09D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:15.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:15.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92F844833454176914B136C5D4088BF4,SHA256=636A4CAF3E19E29589B79CD8E23F84D91539E2744C3ADFD24E1B65EEDBE73F58falsetrue 11241100x80000000000000004295297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:15.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:15.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AFC1B738F7EA3C5DC317CE0AEFEFD4,SHA256=6C788CF701CA92C82214C64FA080C30DF5A62810E93D4B4319B192F9938DE772falsetrue 11241100x80000000000000004295307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000004295306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A0C1966A27EFCF9257DFA1C0C4C44F43,SHA256=03778D264C3D63B6619B9FF5A4EF45FCD1F9D9AD6F64757331C538120DD7F933falsetrue 23542300x80000000000000004295304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5890B82DE9A6D5EB4F73C8C1518ABB11,SHA256=0A841A474175AE1696E4664A592F925DF9BC59F9C59B0A5E4AFAC153EC6A2682falsetrue 23542300x80000000000000001314394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:16.695{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2888C65824EBB3837F3E2EAED687D954,SHA256=F15391F5E39C0E999E6104D98BD99025909A935EBFAB77947800C0A6FDBC5879,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA317C8D59E04EAABE9FEC70A18C5B39,SHA256=90848C96DB26EAB6FBC2ACF92DA9D65F01A30790114A44A9EBE19CE701E0337Afalsetrue 11241100x80000000000000004295301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99A115B31457B6A4FF79133F5918F368,SHA256=99D806DD9028AE3B59F1244D570D4A9C5053612E4E8DB330FEA982EABD616FE8falsetrue 11241100x80000000000000004295310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:17.523{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:17.523{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8419B36692909CA15D71BB7737519A,SHA256=EB1EECDEFE09327A9DD1B562DC14DCC4AC06FE068DE3B80CFF56C26754B456CAfalsetrue 23542300x80000000000000001314398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:17.710{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA4143AB95FB51CE0E02B7D55C20630,SHA256=25AA377A7028B11CB1708B049E55F6D4A47698A1F5109CAAECF50076AB2CAD3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:04.665{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54674-false10.0.1.12-8000- 354300x80000000000000001314397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:11.533{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59587-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:17.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4ECEF0BE5C46ECA17E8146A8A12DAF,SHA256=76F157CDADCFC5BDA524A1F5A51520081B31AF590E2AD64FB01C1724789294DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:17.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF9911EC8C37062BC13FAC5B215ACE2,SHA256=BC24655CB301EF6472BA9D010451810E67B38753FB45AB3188F815907E2A7C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:18.820{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443BC5E50AD9FB893D1EA5AB3FD7CA4B,SHA256=0E53048533D0830765BBEAD515D645F3C9B8F6BA40920DDEEE4A764F8C9F5E3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.757{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000004295313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.757{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FA9FACD999153AA25D6A442A57F0314E,SHA256=0BDD25E6DB1D6AB0AC7B10B5EF3A0F3D1081EDAE8A2700F108607AE7D370EC79falsetrue 11241100x80000000000000004295312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD04AA1F165D21B71037B9EB7F441A5,SHA256=3EB61CF54183CCFCF188DA17876B2C350C46E80B510A203288F0C0BD3BB23001falsetrue 23542300x80000000000000001314424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930BBF41A79C3648E40AD265B8232472,SHA256=356DF8E7B5B87AD442BEB50EC6EA5CAF3F219B9E487AE3B559F02D5327EAF3C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C31B803EF31A4C33B34CE330CD41F1A2,SHA256=B0E05A64468868A17E155186C332ACBA32E33E503B6F3D6C47850A8B1B5E50D5falsetrue 11241100x80000000000000004295318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FB2B596776CBACAB803F4B0A690755,SHA256=5A7282FD116E393327EA1400CA73A6BFC027B717021D4EAE1C160EEC37EC578Bfalsetrue 10341000x80000000000000001314423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:19.241{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004295316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:19.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41AA896251D61B6D5B9C5F412AFAD0AF,SHA256=4776EA4966BF406BB48A446B350C283509B4DFFBC42D552F671441F0285998D3falsetrue 23542300x80000000000000001314425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:20.882{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7434935F961EFB80564957278A90BB,SHA256=200F811AC98D92B672905AF2F7065AAC71139C74F81C081F47F1D5148CAC2B18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DFBFB9DFA77A412F47F1C69DF3E92C7,SHA256=C720E2B62A2CA67ABA454A5DADAE7AD0B2684449587CFBD64EC2866331315748falsetrue 11241100x80000000000000004295378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C893E6C8E85807ECCCFDF70D24463BB4,SHA256=9AF9F47E6655736208C4E933E1453D0783BB920EB719F1D963A6CF86773FE003falsetrue 534500x80000000000000004295376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.882{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.882{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004295374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.882{4DF467A6-03E0-6138-99B4-00000000F001}66684772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.882{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.882{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004295371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.773{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004295348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004295334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004295329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.758{4DF467A6-03E0-6138-99B4-00000000F001}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:20.757{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001314426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:21.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE93757B3FEC0D1792FC3FDAEBF8EFC,SHA256=ED56F54E52DC29B3494DCB96967F7F08FB2411E07F6A6E16811809686DB00320,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004295499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.945{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004295477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004295462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004295457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.931{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004295449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 17141700x80000000000000004295448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.929{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000004295447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC396F2B90FF4E7F46E5D957AC4D6EB8,SHA256=322687F1C0B6DCFFC5B1DB26A7EA37C71354D708FFF4295A9D6F90D27164B380falsetrue 11241100x80000000000000004295446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C15022AF0E20336D6B13F82893942,SHA256=5D882E9AFA3FD41527CC1A0E1854FC64BD8981B267BCAA269280210B30B04C57falsetrue 11241100x80000000000000004295444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1C878F4FEDBA4DE4AD0ED6FFC3B7069,SHA256=86A2BA4476BC23BDC33E92B2FB7FDE182444776893AA26752C269DE89682CCC3falsetrue 534500x80000000000000004295442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.554{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004295441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.554{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004295440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.554{4DF467A6-03E1-6138-9AB4-00000000F001}42643652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.554{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.554{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004295437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004295433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004295431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.445{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004295416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004295400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004295399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000004295394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.430{4DF467A6-03E1-6138-9AB4-00000000F001}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:21.429{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000004295385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:09.681{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54675-false10.0.1.12-8000- 11241100x80000000000000004295384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8D8BE8884573A07E05D0DE5275D4E11,SHA256=AB99000E996C6FBEA24E878F728D145CB3AEEC4DC867CD0559153EFA4E756B78falsetrue 11241100x80000000000000004295382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:21.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA317C8D59E04EAABE9FEC70A18C5B39,SHA256=90848C96DB26EAB6FBC2ACF92DA9D65F01A30790114A44A9EBE19CE701E0337Afalsetrue 354300x80000000000000001314430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:16.532{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:22.945{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E73009B37B2267EFB8C65A8F917BCAD,SHA256=A72C32D279BDFCFC3F27BDD372CCC110846623538B6D439CE43855786A30CCE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004295581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}12486120C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004295580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}12486120C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000004295579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000004295566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:22.788{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 534500x80000000000000004295565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.679{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000004295564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.679{4DF467A6-03E2-6138-9CB4-00000000F001}41405436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.679{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.679{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004295561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A925AC69D8035035F6E1E9C8EC287093,SHA256=57E09A48CDA1BAF0EC8DADC6248B2E4FD2EE8176EB1DCA3052247F9332ED63F9falsetrue 734700x80000000000000004295559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004295555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004295553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.570{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004295548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004295533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 23542300x80000000000000001314428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:22.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251EC733C3767137ABECA2A559EC1B3E,SHA256=ECFC6924958BC56756DD5C7A3A0EB10F65CA7FA329D3C21742FBA4A1DE76CC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:22.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4ECEF0BE5C46ECA17E8146A8A12DAF,SHA256=76F157CDADCFC5BDA524A1F5A51520081B31AF590E2AD64FB01C1724789294DA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004295524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004295521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000004295516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.555{4DF467A6-03E2-6138-9CB4-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:22.554{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004295507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8D8BE8884573A07E05D0DE5275D4E11,SHA256=AB99000E996C6FBEA24E878F728D145CB3AEEC4DC867CD0559153EFA4E756B78falsetrue 10341000x80000000000000004295505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.382{4DF467A6-3F47-6132-0D00-00000000F001}8965860C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000004295504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.054{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004295503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.054{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004295502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.054{4DF467A6-03E1-6138-9BB4-00000000F001}921584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.054{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:22.054{4DF467A6-03E1-6138-9BB4-00000000F001}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001314431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:23.960{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D851D5BED94E140E15A09B0F0C9601E,SHA256=E9CD7A91C011551ACFE6208426795D6332624A3798CB6030036F66905013127E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000004295705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.976{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004295704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.976{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004295703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.976{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.976{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004295701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4ED2D444D4F5E16EB5984CC67C567064,SHA256=4921CD6776807870AB4F6BD83E92AE942B2D38439BD9F6A355F35C9195E31733falsetrue 11241100x80000000000000004295699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9950C8A9031D743FF71148E079DD1B37,SHA256=E88DDBEC170054DFCCCF8A365CD25E7373D794839C4B02CC23133BAE74373E59falsetrue 734700x80000000000000004295697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004295693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004295691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.851{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000004295686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004295665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000004295663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000004295662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004295660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000004295659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004295658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000004295655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000004295650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.836{4DF467A6-03E3-6138-9EB4-00000000F001}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.835{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004295641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CFD20DFD48C7FA1758B4037D88B8A4A,SHA256=B76F909B7782418A9D6EFBBE9A410C8CB9C03C319F3665FC64BF71FAB56DA91Cfalsetrue 534500x80000000000000004295639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.335{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004295638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.335{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004295637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.335{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.335{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004295635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004295631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004295629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.226{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004295614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000004295598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004295597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004295596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000004295592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.213{4DF467A6-03E3-6138-9DB4-00000000F001}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004295583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:23.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D12EF7DE835A2E65D00D4A75B507B5,SHA256=67F8D71684045A5EEF83D879ACFF1B4436A81A13ABC282A0B68134C8B6E22E7Afalsetrue 23542300x80000000000000001314432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:24.976{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D36CA47181B7839FB477DD72DF8DD0,SHA256=E3068FE2B2BDFD5F97055BE9702C78C65AE8BB1B40D5DEECEFC1C9273ABCE44C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.945{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000004295769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.945{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000004295768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8246D531DDEE1183E7246C526BD5FC85,SHA256=77337AFC24FBC0CE538046B87FBD19F8D5040786BF5F7D73E74BE5FA43BC1C21falsetrue 11241100x80000000000000004295766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=588F7821FFD064E4B587874D1DC8BE05,SHA256=109C81DB4152BBBE6513F0F8250775AF9CE3B6BFB72032A5ABA6C8195E138C0Bfalsetrue 534500x80000000000000004295764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.632{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.632{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004295762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.632{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004295761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.632{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000004295760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:12.634{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60903- 734700x80000000000000004295759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004295758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004295757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004295756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004295754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004295753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004295752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004295751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.523{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004295750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004295749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004295748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004295747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004295746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004295745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004295744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004295743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000004295742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004295741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004295740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004295739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004295738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004295737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004295736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004295735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004295734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004295733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004295732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004295731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004295730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004295729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004295728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004295727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004295726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004295725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004295724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004295723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004295722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004295721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004295720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13251117719176C4DBBAFCAE3456384,SHA256=B6033974F93DC980C8A0E8344B69200CA5B25ED9F2F08110D2DF07CAEEFCD927falsetrue 734700x80000000000000004295718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004295717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004295716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004295715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000004295714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004295713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004295712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:24.508{4DF467A6-03E4-6138-9FB4-00000000F001}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004295711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004295707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004295706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:29:24.507{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001314433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:25.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5298EA93CBD5E92BF6327BCECD349081,SHA256=51D6CC2ED88F71E83ABA92F85BFBC5A37E5219A469EE9CD8FAB49DEF4E3FAB61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000004295780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.791{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000004295779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:14.368{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54676-false10.0.1.12-8089- 11241100x80000000000000004295778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D9EC912CAE2E484EA603A0FFBACB493,SHA256=B37069E17688D68491674E32513B856330D76202E448652DD8D106EB3DC9E56Efalsetrue 11241100x80000000000000004295776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D19F636ED5031E4A5976D99603C28B68,SHA256=D611A9F7ACDC94DB3644032C0CFC4F35FC69D0218BDD48065D8FEEFE106ADD71falsetrue 11241100x80000000000000004295774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=522DC143FCA16308DEDA0A20C3A96A71,SHA256=D399920F81F5574C42A4E0E535870CDE10AB858D8675ACF5DCE0C4AAE94B8757falsetrue 11241100x80000000000000004295772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:26.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41067D2102C62B907561CE19772B5672,SHA256=289C5081BDF3D7434A7FA8135A21BF29BB75A08E3357CA57210DD6758408409Dfalsetrue 354300x80000000000000004295803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.231{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54678-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000004295802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.231{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local54678-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000004295801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:15.480{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local54677-false10.0.1.12-8000- 12241200x80000000000000004295800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 12241200x80000000000000004295797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 13241300x80000000000000004295796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000004295795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000004295794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\AddressTypeDWORD (0x00000000) 13241300x80000000000000004295793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\LeaseTerminatesTimeDWORD (0x613811f7) 13241300x80000000000000004295792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\T2DWORD (0x61381035) 13241300x80000000000000004295791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\T1DWORD (0x61380aef) 13241300x80000000000000004295790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\LeaseObtainedTimeDWORD (0x613803e7) 13241300x80000000000000004295789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\LeaseDWORD (0x00000e10) 13241300x80000000000000004295788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\DhcpServer10.0.1.1 13241300x80000000000000004295787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\DhcpSubnetMask255.255.255.0 13241300x80000000000000004295786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\DhcpIPAddress10.0.1.14 13241300x80000000000000004295785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:27.135{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bc9d75fa-3030-418e-87d7-a9a29505a547}\DhcpInterfaceOptionsBinary Data 11241100x80000000000000004295784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:27.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:27.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FABD7AF50DD2E89A827D28154C3BB91,SHA256=26ECF8DB56CD3ABD7873B40047CD60E4CB71948A120661FF9ACE996D1A071E02falsetrue 11241100x80000000000000004295782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:27.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:27.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC343BA00FAB2DFD986E233014C7ABD,SHA256=D9E3B9738DC53CB949985A8A6E8D00A346C57DC33ACC3486AB14C75DCA313672falsetrue 23542300x80000000000000001314434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:27.010{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF7CFEB527C22A4DCC337F6445A991A,SHA256=92D3BCF6A9430CDB19B879993336AFCF17897E1173C2BCB140ECEF59AA5A2BE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:16.574{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-291.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 11241100x80000000000000004295834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:28.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:28.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E90D983BC65920F00A9603427FCD3886,SHA256=8B50C355C5FC7400981872FFCF1ED46CEFD30C49BFE461D32DA8D283C2742781falsetrue 13241300x80000000000000004295832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000004295829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000004295828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000004295825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000004295824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000004295821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000004295820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 18141800x80000000000000004295817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056\wkssvcC:\Windows\system32\svchost.exe 12241200x80000000000000004295816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000004295815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000004295812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000004295811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{BC9D75FA-3030-418E-87D7-A9A29505A547}Binary Data 12241200x80000000000000004295810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000004295809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000004295808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 12241200x80000000000000004295807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:28.151{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000004295805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:28.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:28.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170A101B2F2340C92E9010717DEC669F,SHA256=6A11C4A0E0D941A20F60FB22A16673AFD9AE5C1CF90CA616E7B76BE22DC746C8falsetrue 354300x80000000000000001314438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:22.504{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:28.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05560E98F24B83ADFBB23D0DDDD8AE86,SHA256=14C89E664BC19978763CE0A8BA3BCF49372DE83ACE0EE83103F11E5F30FF5CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:28.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251EC733C3767137ABECA2A559EC1B3E,SHA256=ECFC6924958BC56756DD5C7A3A0EB10F65CA7FA329D3C21742FBA4A1DE76CC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:28.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9342CCD317071ACDB906BDC4BFD0612F,SHA256=0E580F768897098E7A3A0DB1B0F04CF97A4B12818186798D104903E042A915CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03E9-6138-C2B0-00000000F101}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-03E9-6138-C2B0-00000000F101}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.807{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03E9-6138-C2B0-00000000F101}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.792{AEE49BD1-03E9-6138-C2B0-00000000F101}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:29.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5481718AF4BDEE46719BDE45B6BFEA34,SHA256=EEA7550F1578E6925E731341483EB077E4AF7DB0DEC3C440802D6D6D49439BD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D81467B3DC06C6D2A93EB6F02F8C2AFD,SHA256=5A56E62010AE2C9DD510C18A1B609E543AEB68B31CE42A47C4E93E49B08340B3falsetrue 11241100x80000000000000004295864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDB9E52DF4713C892AEC3DB31A169EF5,SHA256=D06CDA17F8396C44B52B9C0A7952582450C6F7ECC9E84CC999ACD2B67F21C3E2falsetrue 11241100x80000000000000004295862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7210F2A5CBDCAF1CAA891F29D56213D7,SHA256=778BD4B1EF5560407F59894F893BDE6D10FA1E8DB61DE212123DDB3A67A205E1falsetrue 11241100x80000000000000004295860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32124D6975E33D53E3487C0C718605F6,SHA256=93198FC33E69BA76E344DF171ADBD3B0BED63A4BC1D2C96980161580FD353F6Efalsetrue 12241200x80000000000000004295858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000004295857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000004295856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000004295855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000004295854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\FlagsDWORD (0x00000002) 13241300x80000000000000004295853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\TtlDWORD (0x000004b0) 13241300x80000000000000004295852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\SentPriUpdateToIpBinary Data 13241300x80000000000000004295851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\SentUpdateToIpBinary Data 13241300x80000000000000004295850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\DnsServersBinary Data 13241300x80000000000000004295849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\HostAddrsBinary Data 13241300x80000000000000004295848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\PrimaryDomainNameattackrange.local 13241300x80000000000000004295847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\AdapterDomainName(Empty) 13241300x80000000000000004295846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\Hostnamewin-dc-291 12241200x80000000000000004295845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547} 12241200x80000000000000004295844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x80000000000000004295841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:29.166{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000004295840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000004295838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BC9D75FA-3030-418E-87D7-A9A29505A547}\RegisteredSinceBootDWORD (0x00000001) 12241200x80000000000000004295837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004295836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:29.166{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000004295884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6E2F2D998CE1854E39022C24468C01F2,SHA256=0C455CF1A6909C0FA4002CA71E2F9E029727A5E3810A87790426343A47E4529Ffalsetrue 354300x80000000000000004295882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.617{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local59743-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000004295881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.617{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local59743- 354300x80000000000000004295880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.617{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98b0:4928:29b:ffff-59743-truea00:10e:0:0:0:0:0:0win-dc-291.attackrange.local53domain 354300x80000000000000004295879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.616{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56013-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domain 354300x80000000000000004295878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.612{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63718-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004295877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.612{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63718-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004295876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.611{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56177- 354300x80000000000000004295875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.610{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local63717-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000004295874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.610{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-291.attackrange.local63717-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000004295873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.608{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56270- 354300x80000000000000004295872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.608{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-291.attackrange.local56270-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000004295871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:18.608{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56904- 11241100x80000000000000004295870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252A1DC2FFE28C9E304AEE113AC2A9CC,SHA256=EC085BD3D743FBFF23B7F22AD2B7887CDC4E5B9CC79276C7929B2E9FBAEA6685falsetrue 23542300x80000000000000001314468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.838{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05560E98F24B83ADFBB23D0DDDD8AE86,SHA256=14C89E664BC19978763CE0A8BA3BCF49372DE83ACE0EE83103F11E5F30FF5CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.604{AEE49BD1-03EA-6138-C3B0-00000000F101}44885996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03EA-6138-C3B0-00000000F101}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-03EA-6138-C3B0-00000000F101}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.494{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03EA-6138-C3B0-00000000F101}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.479{AEE49BD1-03EA-6138-C3B0-00000000F101}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:30.104{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF495A2F849BADB8C85CA5184FA08FD,SHA256=4CBDB46016F96AE7D963045D65D43940F21A0B4859E4E32A2C6DEA810E283C00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:30.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF2484FAFE4BA4A42680D5D06A633C7,SHA256=C8C7435BE9D28B6A5079C25D1AABC1C5FEEF4C562F8E949C056CC0DC2D78C5F3falsetrue 11241100x80000000000000004295888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:31.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:31.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BFAC2B03FB5569C7D307DE39C1151924,SHA256=359FCF6654B2EB0C318DE68314B60A43F98B5576087E80DD754C984CDB3F28DBfalsetrue 11241100x80000000000000004295886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:31.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:31.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85B03A34877526D0E7A257C4999E8C5,SHA256=2FA1C64A4C73D81204FC153E14A3342C1029D4994EC79033A55B7B50BD672544falsetrue 10341000x80000000000000001314482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03EB-6138-C4B0-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03EB-6138-C4B0-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.182{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03EB-6138-C4B0-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.167{AEE49BD1-03EB-6138-C4B0-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:31.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B93237903783CB0D12EDEBEBE007DE,SHA256=A8849464A0EDA81D15F62E761E73CEAF0065E8D2FF110C71C9567B32B0DB90B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:32.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:32.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842084DF380ABB73C3F3F37B69E5E44A,SHA256=063A56A74F4FCE336FCA5A3D97ECAFF8BDD3E630C58AC1EB7F2409A9052575EAfalsetrue 23542300x80000000000000001314484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:32.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31C8399FAEE0D8663DD9E33353820094,SHA256=1A8FFC65B2F4F049E0BF2CD7240633BEB0303FB3653FC8F73497A7EDEC79BA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:32.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195939886B1E1C6A538ABE9E8B5CF587,SHA256=36AF32BBCC10B92A6999F8E8CE7E38467D76E5184FEB0A387B4A82973235E58F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:32.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:32.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C3B1D0CB7714A7039B07E30E369E24D,SHA256=33E5D2F7CCED873809A730BCEB754EDADED57B24BCBDD1D186B59C1105FC02E0falsetrue 23542300x80000000000000001314485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:33.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF2366128EF031BFD529002958DCAFA,SHA256=CA8F5C1AE060E4D344C92C66196ED1ADB92F7361DC7EBCC00DF52C068A0C28C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:20.527{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63719-false10.0.1.12-8000- 11241100x80000000000000004295894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:33.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:33.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D64DC5D7328602ED043678F548ADA14,SHA256=3497621FA4D1340E755221D8E5695ABEAACABD3BB352BF03E2C63E40B37C6D59falsetrue 23542300x80000000000000001314487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:34.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB14E3E05060F77B1EC0E537E9BA37F,SHA256=8B18D6EB5A42DDF291C3DD3892C6C02AE2570C6864D35E24925C0F032172C98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BFC88DC72371283336689BABF2C5003,SHA256=CC8ED4CDF0BA1DD2250AA1D54542F1FAB47CE198A3A330C1112733FAF3516C52falsetrue 11241100x80000000000000004295899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC347FA7F12330B968EE98D4DEE902CD,SHA256=87F1294ADA6653989805FF5B34ECDF7EEEC7D01585A4C40DAF660C753F4B471Afalsetrue 23542300x80000000000000001314486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:34.119{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB2B22EB6BB48A9C163C73850F95218,SHA256=66B747D1654B5D3FC889D2B66CF44053A6945387DED9BC93C96364F9116F4734,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:34.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C84E6585591160AB67DCBF8E2627304E,SHA256=99CA78409C1A9C73AAE84E41138E29EB1E8603BF9FCBEA35BC99C8B839EB6990falsetrue 11241100x80000000000000004295905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:35.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:35.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=271CACC2AD3E7DEB8CF499A04A68B5E4,SHA256=9ABB250BBB25B2F7885BCBC1BF1618EEF0ECCF94B076585439EAF10F55897A3Dfalsetrue 11241100x80000000000000004295903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:35.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:35.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4800651E5B06767B91A361AB56E4BB3E,SHA256=EB40E124F141CD4E36B33BD2882481964840C2ED0929CD83B18ABF6E61011228falsetrue 23542300x80000000000000001314489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:35.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD172D489A7DFC53612CCCC6EF15F24,SHA256=10ED45D436DA3CBB04A200DB75EC1916B94DA783AD6DF6AEFA49045D221E2D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:28.457{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:36.276{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C777DA623C556447BD19F94AFCA6E20,SHA256=C25FC47E9D5A3C9EB0A5747FCFA38E8DE0DDB3DB969C261DF94ACCFAA9B97134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:36.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:36.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=152CAEBFB103FF9AC2B5B20676717B01,SHA256=89FC9B1B4E629790B4F8AE29E6B669C78E1FBCCB5EDBF5162851ADC5F0DDDFC6falsetrue 11241100x80000000000000004295907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:36.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:36.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E708F5AC71E0FEDBDC2577F0E8227079,SHA256=2FCB2BC7FC67EA6AEB84244BE30C8ABFB285B7AE292CD8747B8531147A611F44falsetrue 23542300x80000000000000001314491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:37.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96AD3632C9493A80D4C657B761A0C9F1,SHA256=55C7A170311E753996D23E0E92BB0F8F00F0B710B675D9881625FBDDC07A733F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A456562100A3FD5929210CA7C84F5F,SHA256=3850843FD106575E7D0A25DF3DBD9A2D142DEEF582C0A284E42D66956F00D327falsetrue 11241100x80000000000000004295913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCD08FA79C4719DC9C9F3BF08085C8F,SHA256=312C5E953B1B48C438A33B75EB5668CCF6AF00E00CEBCD72192A38CC29A12FA2falsetrue 11241100x80000000000000004295911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:37.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0DE55A809A339ED081F0DC5578D00D0,SHA256=B49FA44CE172875D62F6CD53049DCAE10017D736B5936A2F7D66B6CCA613116Ffalsetrue 11241100x80000000000000004295920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:38.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:38.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCD08FA79C4719DC9C9F3BF08085C8F,SHA256=312C5E953B1B48C438A33B75EB5668CCF6AF00E00CEBCD72192A38CC29A12FA2falsetrue 11241100x80000000000000004295918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:38.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:38.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E358768A3104299C1FE8E7B69D2997FE,SHA256=5601567348AE8ED096B9CED87FD07BE18FA6AE677AE15BB3C980A934593BC935falsetrue 23542300x80000000000000001314492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:38.323{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72230F9DFAF393051B7AA8ECB3D6F838,SHA256=ACE4203D9C70315DFD46E114B0FF0912FD4F6A7A75EF31F9A82C2D11AD3438E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:25.652{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63720-false10.0.1.12-8000- 11241100x80000000000000004295927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.999{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-61442021-09-08 00:29:39.999 11241100x80000000000000004295926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.920{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.920{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADEB0B9A55437042E5B174F7199B4E94,SHA256=3BFD7117EE272E440C9B057AB94288A654B56D0DBD29FA7378D14E4794FD954Ffalsetrue 11241100x80000000000000004295924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.545{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.545{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49069EC0C0B443CF7CF326A707B1460B,SHA256=BEB57903CF34374108CC16C7A7CE2E765E17E3E9BF2EC5DB640EC6AA78CFC56Cfalsetrue 23542300x80000000000000001314496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:39.338{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728470F975532FF49933A547A987C530,SHA256=46659FFD0099F980229CCB336C5444530EB8F5A002717D71F13586A8D4F14E1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:39.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE7A3AE818B26DCB8AC1F7265A5AEF43,SHA256=1EDC34B0D680855E8342B4C44488D1A1D8DF70A0BA8E748321711873093DB4DDfalsetrue 354300x80000000000000001314495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:33.457{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:39.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7465F28F1260C657D49830DB6A1FF78,SHA256=B4A2EF740C3971D6B8459AC28EE85B15995E6E56A09B1AAB1453C9563DEF8DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:39.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A25F67A8A6E9BE3918F6D2B8A3B997C9,SHA256=5890D5A4947B6095B4A68B0FD85D608EFB680FADA5CA9CC8AA123FE7E39BB424,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3F647DF6C3DB0117278E032855B8969,SHA256=665290D5EF9BFA0C871D6F40988C732311334E8D0FA424FB47D69C87408617C2falsetrue 11241100x80000000000000004295931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6484CE640F8E221C55C4DB2C60BE572C,SHA256=D0AA9CF1378256E930E84FD74CA23284D6633E379A2670F234809256CBDEA70Cfalsetrue 23542300x80000000000000001314497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:40.354{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0332C3754E94C1D4A77A1DEFA0E0516E,SHA256=FE3A6E1787C45CB636A54A9C7723BDFB7ADE74F27E67E9DA5D3CC33163CF760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004295929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.001{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-6143MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000004295928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.000{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-61432021-09-08 00:29:40.000 11241100x80000000000000004295938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:41.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:41.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=246A0F0B5B7E5C531A3258192A5DF3A4,SHA256=61FFD7605327EFC9256B5F1802738842AD9AF13A379CD26022865298B1F086C8falsetrue 11241100x80000000000000004295936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:41.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:41.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD91C98ED5D2E8295BC7760A5499AAC,SHA256=0C58D59A46A1D65BABB996CC2BBF8210967E4F9A4A59FB4621534E72600427B4falsetrue 23542300x80000000000000001314498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:41.385{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5694B200FC5EF89B4A4AAA22F2E963AE,SHA256=E56CE83BF814FD47E0632AD471ABC7FF8DA786E4EFC11412E15B730473C11EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004295934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:40.999{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-6144MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000004295942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:42.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:42.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D54086DFC98EC0D638CB60B86C3EAA,SHA256=596459F2BBE51301207C56FBAFFBECA9B9E6CE28C23AA066EC0FF6244EFF366Bfalsetrue 23542300x80000000000000001314499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:42.401{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A4BA36CCC9EC809D605E87ABC9548C,SHA256=023E676392968EB8498615AC7805549E3B20D30ECA15C6DF4965C34114F40386,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:42.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:42.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2862B34850CBA6A8B3F4989E3C3BF2CB,SHA256=6B1A114B409EF0A84F0E7C3E3A76A2AB109EEBF245D19BC93813AC88C6FB16FFfalsetrue 11241100x80000000000000004295944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:43.656{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:43.656{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEEA3D59BF0D366EB1A332C99E3CB11,SHA256=6A886CE3CF1745020C01AF43236D4FA4B33069FC89EFC0541F1431692B628FC2falsetrue 23542300x80000000000000001314500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:43.416{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EADBD5970C88F58CB0DC9EF2EE2320,SHA256=A1A265CC47A938E52C2E90BC1D3A336B8683D32A2A170EC2DF900A50A0690977,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1468145429D9245C0E76A989509071DA,SHA256=64EBBEA861EDB5DAEAA7BAA2358B78E780AE4796C6B71FEA7CBFF9BDC3A08F7Cfalsetrue 11241100x80000000000000004295949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70171121792F4BD4B0C828BC1F896F0D,SHA256=0728831C37F9D37DB1094ACC33B27E7B8B33903936DD32A9F0EBFC78FCE37D64falsetrue 23542300x80000000000000001314501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:44.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621704C399F1F4BFB5F9E32FFB5DE8FF,SHA256=0A84A6BC80EE49F823C3ACBA9ADEC2AAD54B2498AEFCC609BA98BD4EFB5B5C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:31.516{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63721-false10.0.1.12-8000- 11241100x80000000000000004295946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:44.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA61B04B0A3D892F83460FC062DC10A3,SHA256=D2A47105F924165171E0577DD3F09C594F0BE087077F033492F2F2EF277925C3falsetrue 11241100x80000000000000004295953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:45.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:45.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA13A6222CA306C406B8DE2CF57EA0F,SHA256=EF50AA28049D5CAB808C3F8407B497A8A4FE4D9C3CCBBCDCFC1171326CB31044falsetrue 10341000x80000000000000001314531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03F9-6138-C6B0-00000000F101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-03F9-6138-C6B0-00000000F101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.885{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03F9-6138-C6B0-00000000F101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.870{AEE49BD1-03F9-6138-C6B0-00000000F101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09FE7E691996FB0D4E1852D127A6CE,SHA256=3BBE1FFB877B905E2BA923D26F0AB24BE41E6993A8807B756098B6473D564520,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.323{AEE49BD1-03F9-6138-C5B0-00000000F101}3724748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F871E675782E75F9C282CFF52218D7B,SHA256=25961F16C6B1D2EAFBCF4320F77F789B275B356C639F90287F9D67B9CC80B2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7465F28F1260C657D49830DB6A1FF78,SHA256=B4A2EF740C3971D6B8459AC28EE85B15995E6E56A09B1AAB1453C9563DEF8DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03F9-6138-C5B0-00000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-03F9-6138-C5B0-00000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.198{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03F9-6138-C5B0-00000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.182{AEE49BD1-03F9-6138-C5B0-00000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004295961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=607C0BA4989D1C64BC3E3D7E7A8FCE46,SHA256=EBC589AA35A5676B7E774C14EB79944E440BEDBA421E9E6E65813FD7BE0B97CFfalsetrue 11241100x80000000000000004295959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFDA8E9840962036945F15FD44C392A,SHA256=02663A098DC84242FB6AEC06112433A77DA2801D1B00B36552DCEE25066EBB12falsetrue 10341000x80000000000000001314549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.684{AEE49BD1-03FA-6138-C7B0-00000000F101}2628712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-03FA-6138-C7B0-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-03FA-6138-C7B0-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.574{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-03FA-6138-C7B0-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.559{AEE49BD1-03FA-6138-C7B0-00000000F101}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001314535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:39.457{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.543{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4604085214662B20B81C4D8571CC78B7,SHA256=CC08677CEA3F0A213C4C84232B4A41D3C44B9F872225C58E8AFDF0152CE9D4F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D572A80C7C917863935B5B12BEF1C47B,SHA256=6C4B4C68CA3DDC42A762495CF310E01627A24B9F1609A2486C7368FA3962EB56falsetrue 11241100x80000000000000004295955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:46.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8BFDEC0550751EB3FE528DC6C4B777F,SHA256=056A772E01BE7DEE1270FBFB83A1993FE4434274E37B421E700DF0A94AC4C76Ffalsetrue 23542300x80000000000000001314533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:46.324{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F871E675782E75F9C282CFF52218D7B,SHA256=25961F16C6B1D2EAFBCF4320F77F789B275B356C639F90287F9D67B9CC80B2F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.996{AEE49BD1-03F9-6138-C6B0-00000000F101}59524544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004295963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5CB2776F0F00DF3AC9B5A10E7075B8,SHA256=97C6F903C74C64895087E1DBB5961AA5375DABA48C1EB2F512E42A47982DD721falsetrue 23542300x80000000000000001314551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:47.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7BC6F03927300B1FA98291BF056B875,SHA256=F21461ACAA5B679CB8A50CD3AF14091F3A210EB1D1555BE98302B4C6E4DB602C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:47.574{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253EDD76609EEB248AA3FA5BDB70A504,SHA256=3C93B95ADAAE3AD6CD0A00CF0DCAD4DD4AC42900504D0AE6EB91F8C11DA9DCA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9695C45C4FDB8D82B5C6537A5AEC029E,SHA256=D8E6224829BED7361DC4C9FE68EB55A5483A9ED222AAB268C5524FA8D128B4BCfalsetrue 23542300x80000000000000001314552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:48.605{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467F9556D4C878C58E1F7FEC18818BE6,SHA256=EC1D1C363BDFD7A70E9CEC5A8BA2620653BC158AF04227ED92E616B12AA6B1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004295969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.621{4DF467A6-446E-6132-2306-00000000F001}6656ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6656.xml~RF1688621d.TMPMD5=1938CCEDB6D1C2D71B9FBD689A410B29,SHA256=ACFDC23867C0E7455FC34BEE9076161330046A77422999E289353D7001AD41C2falsetrue 11241100x80000000000000004295968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.621{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6656.xml~RF1688621d.TMP2021-09-08 00:29:48.621 254200x80000000000000004295967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.621{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4slhfori.tmp2021-09-03 15:53:11.9822021-09-08 00:29:48.621 11241100x80000000000000004295966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.621{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4slhfori.tmp2021-09-08 00:29:48.621 11241100x80000000000000004295965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:48.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3CE1172C07AD4AF6C8D0E762BBF6E96,SHA256=5EA2F2CC5984D0F98F365AE66AE961516D1065BC775F22ADB2A9020F0F8433E5falsetrue 11241100x80000000000000004295976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:49.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:49.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672077F90F1A1FE659A1D0E592C37003,SHA256=931612AC515F8823A131872366DBF58DF2ACCD5DF74EFAB431F724C2C4C4DF8Afalsetrue 23542300x80000000000000001314553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:49.637{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6A35DD36AE366081D9A947C02D2322,SHA256=DDEC16ADD5B69ACA0433F2EE541D7081117EC50A967B79FAC9C78440D6B6842D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004295974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:36.559{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63722-false10.0.1.12-8000- 11241100x80000000000000004295973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:49.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:49.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FACB362A50B73C88CF92E40F7397C386,SHA256=841243AA65E47F197D477C83619A6E142C16E779A7F423B7B39812EEDCA6669Afalsetrue 354300x80000000000000001314557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:44.459{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:50.668{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE877A53531587AD1C9983398D4192F9,SHA256=991618CA2A00E72BF47AF4551E90523055DEA40734ED7972413368B80DEDD98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:50.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:50.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB936599EA3283DEECDCBE0133C206,SHA256=E105911B3AFD8D85EEEF5E88364C69518FCAD008A5A354E2582692580B9D8014falsetrue 11241100x80000000000000004295978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:50.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:50.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57426A2DE30846DAD4A8A97DD061A711,SHA256=DF9A4B13366E8627742BF6CAAB17692BB84B3ED4C3B7010C2DBA4BD98C92F723falsetrue 23542300x80000000000000001314555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:50.590{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:50.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EEAE06977F977EA25EA4C879ED9134C,SHA256=4D0DB19E6590CBF0CBFA6EE0921AB3627E25816216395FC5BCDDD08843CB1B96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0CFD14D9162F57E32D07A88421F4A,SHA256=4EDC1977931755A9DCA5F40E9B356B1A0EC2E3272C2BD17F4BB22479FB5EDA34falsetrue 23542300x80000000000000001314559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:51.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1891BE83722A78ABE8152C5C76C6F5,SHA256=181616E40925640554B92AEB93D2F2747AA82629DC2505E10E93606EB7F607B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=420EAE78194F678B88DCA0D6FA9A6DCA,SHA256=6603E77B68B12348665119F50E18C5A2238BD5E0AF145671C3C3E6554C74FAA5falsetrue 11241100x80000000000000004295982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:51.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C4506EB775592C643B7968B020AFA853,SHA256=C884EC291C8DC04595935EE0B282395B9D3E397C6C84F81CB5E3D52EE499EA39falsetrue 23542300x80000000000000001314558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:51.605{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B20221A207F808CB1F99F6859096B8F0,SHA256=2DE212291E9B9F69E2DCD0CDBCAC4AB7B346A6BF39CE8060545D0B98D9DF14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:52.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68C96044DD6A76F28ECE547D32FA0DE,SHA256=472BD4FC74DF887423240C24A954B101CB404AA8591153CC216A5E37D6AB938A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:52.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:52.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F242F1D55D84D78774389F23FE43D602,SHA256=38830E37BCA54B4A8260FC176F9217D48F0F8F75F41803D212407531F62D103Afalsetrue 354300x80000000000000001314560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:45.927{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59594-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000004295995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FBB4D6F933A6D3C7146B53D2C5DE01,SHA256=17A92812A27853E29A1929FAC684D4DD625E63261F829E1AD1FF818F17808D68falsetrue 23542300x80000000000000001314575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C704E3174823B3A55978DF9E1769DB,SHA256=9E4A6DF6867A2B0D0FC5A103D653496B59125D36006F328B0FCE269607689DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0400-6138-C8B0-00000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-0400-6138-C8B0-00000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:53.012{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0400-6138-C8B0-00000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:52.997{AEE49BD1-0400-6138-C8B0-00000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000004295993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:41.669{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63723-false10.0.1.12-8000- 11241100x80000000000000004295992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA519773A58C83111C84D283BDFD24CF,SHA256=946EABE461F04B499DE99D59C3EF424F770C082D9BC3A1D27C922D9668F40372falsetrue 11241100x80000000000000004295990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004295989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:53.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1020BB21F2112401768AF68C181BA0,SHA256=07A67C249171D8C47B43CD670DE51AFBA8AAC69749329ED319B3C1D9F22D2B39falsetrue 11241100x80000000000000004295999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:54.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004295998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:54.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1498F58818C8A8C42E43612E488A4C51,SHA256=9E207E0037E8AEDEF25A81149A26B55F26F884FE7F61EBF12905D87CB775F828falsetrue 23542300x80000000000000001314577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:54.746{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65CFA34FCDA4D65416E8C53A93806FB,SHA256=E100B89168F5FEDB20110D30F4A8FC9DA1A2FF24201BA341167200820A04DE33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004295997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:54.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004295996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:54.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F66A286BFD657176521ABBD1FE7F79FC,SHA256=E2450A263843BF53521FC4F39016F3E3F7EE5A06E101915979368CAB7C26E519falsetrue 23542300x80000000000000001314576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:54.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5BE167E3E53D9DF07347D153EA3D66F,SHA256=99C6571CC7F76F2C611E57CA7EEA66D96EB97031475492D9EF07A27B9C22DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:55.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D16AFF60964E3F16C5D46218316B7EB,SHA256=45E84D79D41ABC5DBEDB7C9C6165945D58E2CE47C1668061AE56F7F621CFDA05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:55.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:55.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8F996AC994AFA62E647DA09B1A4505A,SHA256=B447B135DF341C8A265B7F9203E16E109CBB6430AE3C8CFE6A7DA17ED9302D71falsetrue 354300x80000000000000001314579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:49.615{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59595-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:55.293{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F20C783A802804C39C0AF0BDFF2DD733,SHA256=20A95B7EDC64202BC98CBFFA4754B086B68FA7A0B7744A4BC5B8B247D3A6FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:56.824{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F439C5FE9C212A2990456EA3C1D570,SHA256=1998C24B0867D0F1E3C9A8431C1FEB30C5CFF0F9EBBB0FD0CE680100EC0894EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53500BCC826A553B214DB1C1D395E898,SHA256=BA3C30A4C41438497502E59330072569BECE72A9D6C3220B33D8371C498E0C70falsetrue 11241100x80000000000000004296005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=31B1234CBAADA4C132B86B5731A5E385,SHA256=89D7E61F7F4F158C02CD15BDA59723C9069DD32334B89096DC8F6F87BFC67F32falsetrue 11241100x80000000000000004296003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:56.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6050BCE4251E487702554FC5C29ACC,SHA256=D1CCBE9FCECD8ACE1224DC46D7E42DA938605E69A6AEE7156954B64A4EBFCBDBfalsetrue 23542300x80000000000000001314581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:56.715{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7F8A60E1AC6EDDFE4EA03569C19FA74D,SHA256=CF8F3E89C7124A3F3BE5775E8E73D3FB63915FFF41E8528A102F76C728406AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:57.840{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F56EA5444EEA4D9033D27618390BB2,SHA256=EE93709EBECF2D8DF10541C289C753E65F4AB210B6F67AF4FC20CBB573022F46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:57.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:57.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B222E7ABF6DCE42E134A127A9152F11,SHA256=F5C78C37641DB358B20F824AC62D71CD5769DFED47EA71E37F1408F1C440FC3Bfalsetrue 23542300x80000000000000001314584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:58.871{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B656D26ED3075B1638F0A95B625A01C,SHA256=D227D28CDFBA165860BF1303B62E3A3ADD5BD45BCA655FCAE99F59A760BDAFF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:58.433{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:58.433{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C90202468BF91C93F1525A0859C156A,SHA256=526DDF8448C78359066108CD278CE99610C359E8B31FD2386257DA2F4D8FE2CEfalsetrue 12241200x80000000000000004296011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:58.074{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004296010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:29:58.074{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001314585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:59.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA595D4BADAEB7163BC8EBB4D2B39D1E,SHA256=B6C4AC5D9A5B8F8243D98CB1D4252D8F3C9F7BE140CB503520BA38EEFC5D635C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:47.512{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63725-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004296023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:47.512{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63725-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004296022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:47.512{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63724-false10.0.1.12-8000- 11241100x80000000000000004296021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB476998F5426CAB8CBF89B5857F03D7,SHA256=8615C992BD9FB4B7DFFF5D3E734EF5BACA1FDD0D19B4821014185A95C4D8FB18falsetrue 11241100x80000000000000004296019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F89922670A74357BF5991710F5331DC0,SHA256=97CA8A77E17C91967927900D35A3CD95B325A957DD169A5540EFF163CE883EE5falsetrue 11241100x80000000000000004296017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70EAC9E1E0326F321B7E21F16581769F,SHA256=5352A7DF76F5BCFDFB4D78CF531653A4F9F4333FC2D4C0CF0169CC8020F658E2falsetrue 11241100x80000000000000004296015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:59.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA519773A58C83111C84D283BDFD24CF,SHA256=946EABE461F04B499DE99D59C3EF424F770C082D9BC3A1D27C922D9668F40372falsetrue 23542300x80000000000000001314587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:00.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A1F6EE1B720B39246F7C98A0223F61,SHA256=D8EB6E4EEEBCE9A86E90389E594A0EC5D654452AE84BF54DA6D40CFBC6569966,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=951D14A07294188D3EC42532487F8F9A,SHA256=203D3D63E5DF7D55723485A869E4E73C110DFB049E22D1C150705A1BB4B8B58Bfalsetrue 11241100x80000000000000004296028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E54F6134153502A61FAFC22E68B077,SHA256=4BE0395C596C5F503529D5D9B47B2E3460EECC4FDABC29266BC150D9E1D65F91falsetrue 23542300x80000000000000001314586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:00.624{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-6134MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:00.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E2D28F9181A4497D8AA2371BCDFB87D,SHA256=B91CC588EE0571B2734605EB4CFC972CCE8F291FFE9477A29CFC30DD93DA6E3Bfalsetrue 23542300x80000000000000001314592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:01.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA86D5E179A11A4958E771B8FC6281F5,SHA256=C7054DE9F2976E2188E77786281A0A76CD8410FAA4AC6DB67C1CE87204734011,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70EAC9E1E0326F321B7E21F16581769F,SHA256=5352A7DF76F5BCFDFB4D78CF531653A4F9F4333FC2D4C0CF0169CC8020F658E2falsetrue 11241100x80000000000000004296034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1382DB917AAAD1559FA63BBABAB9DDA1,SHA256=F3F3B98F1D00485779C97C85846AC5601611DDC78A7D32C664BF50A36EF9B933falsetrue 11241100x80000000000000004296032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:01.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E2271D7A267EAE0EDFD5C4CB17C191,SHA256=16693C6881D2CE6849668610679C56FFDA560E2AF6908D5D54644BBA1F17253Cfalsetrue 23542300x80000000000000001314591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:01.637{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-6135MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001314590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:30:01.497{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a448-0xa941aba4) 23542300x80000000000000001314589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:01.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F47BA2B05EA6D3E3FFB32A9EC0E3B9,SHA256=EBCECCB4B427E25A6C7EB6721DA9A32A70DC4BEA27A632E18861A4477081EEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:01.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651D88FF248785F049E06F607CB63022,SHA256=D969B55DA3A111E1A24C53787503663ED46F18A5FB8A74FDF16DE3066124875A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:02.918{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925A4DC254E108F1D833BF7D48E5350B,SHA256=5C1AAF85CC9B45C67394DC736619EC774EE9A1EF8CE2C4EBFA6CD5F20BC1809C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:02.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:02.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F480F9FB14E1259091C901F50AA9CD,SHA256=883CA62D0329324D4ECA47C3CD087B8C31FACF38FB4CCE5DD4998B84C6B03DC0falsetrue 23542300x80000000000000001314594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:02.559{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F47BA2B05EA6D3E3FFB32A9EC0E3B9,SHA256=EBCECCB4B427E25A6C7EB6721DA9A32A70DC4BEA27A632E18861A4477081EEB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:55.365{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000004296039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:02.324{4DF467A6-3F47-6132-0C00-00000000F001}8363508C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004296038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:02.324{4DF467A6-3F47-6132-0C00-00000000F001}8363508C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004296037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:02.324{4DF467A6-3F47-6132-0C00-00000000F001}8363508C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:03.934{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217EEBBE2B8F489CFCAB5169DC9B0B93,SHA256=D889019A6DD5C01D932F5E12A4724B00E6B18DA28C240A71F376B5315A1B10CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:03.621{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:03.621{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EBDCD35FEF4236DF0A97D39A50EBCB,SHA256=F442B699367747B526FAE851756EEB5F56CBC16500F210D0C47DB13C77B19556falsetrue 354300x80000000000000001314596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:29:56.834{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001314598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:04.949{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32286865FF57916CC48E6F5B70512DCC,SHA256=5BB9B0A4212BDAE2194CD12A04072DDE6343E07C2D9BFF4D37227AF653900776,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3E8165D17A9EA6E59A47EC20ADEAF7,SHA256=F8F4CE4D0DCE0EBC5AA73E25AC73D4EC2EB3226C5FFBE5692BF610384810C921falsetrue 11241100x80000000000000004296047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=338AAD86176A445759F6846D12C28142,SHA256=E651869080E5A437DDBC731D0135B4A9E5AE88F0061C4BB40410B44280EF0EA3falsetrue 11241100x80000000000000004296045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:04.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1C259810975067AEEAF0F604C7C1140,SHA256=26C2FF6766371FABC58BE257438841BD2A4C16E98D0761F74237DEDF4563DFEEfalsetrue 11241100x80000000000000004296054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:05.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:05.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F03CD5DB0D5EEDC075EB9EF8D7D039C,SHA256=DF4A428F2CA97FD60D5A47B680E58A23AA97ECF3F6AAC0EFE962E345AD5A9DBAfalsetrue 23542300x80000000000000001314599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:05.964{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12EE6404C28B0D2297489F84D5D4F46,SHA256=BB4D8C73CD526D812ABE63EA6BF2C3979FFD3465851E5CC8CCAA998C9EF97373,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:05.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:05.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB4AD51B1908979FBB77A0C1E47FDACD,SHA256=54AC33DE11BA46048DB573A6AE6E9F15FEDB3C71EF011A3078D8B0A1702A6A0Ffalsetrue 354300x80000000000000004296050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:52.559{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63726-false10.0.1.12-8000- 11241100x80000000000000004296062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920C059618A3F3B6A986865142CB26FF,SHA256=27B9B0F2B12E624684FB2EE1A9BD62DC034D0744940C0E4303AD7528992F4E62falsetrue 11241100x80000000000000004296060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02A991E36D4434DFA0B3167B1FB6A2E4,SHA256=D46AA96A8422FDF2978230D8649E7E51C8F22D7AE8D9BB614C7C1F4D8B24294Bfalsetrue 11241100x80000000000000004296058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A061E8FDD212BEBADDCCDC2AD0035EFA,SHA256=B9EA040A5DBF463E4CB920B8B951A94F8584E0FE6EFC61A512E1E0E9509A8AC8falsetrue 23542300x80000000000000001314601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:06.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB9B152A8CBD57172B9C02ECAD85DCC,SHA256=BAC4EE13D9E57F15ECEB481B3EBE07133B2DEE79416902E53B1082EAA3432839,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:06.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A4106F7E43E00306DE13A8F4DC542BF,SHA256=C0F17B2E86BF3539379D09F4FD4AAA10A8207796EF4286B7F7CC3325D65C7D02falsetrue 23542300x80000000000000001314600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:06.323{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78131581D3BF49A166ECD6B7587C60F2,SHA256=8871A4E30DD9255C718E362FBCF12DBD115018DFF0FDFF469122DBA85FCECFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:07.995{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E115F631E72C012631AB33D6DDD87D9,SHA256=B30F3C80E563876BDE1D32081581D1056F1DEF1E4985721EB2856FEC8A02BEA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:07.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:07.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258D5BFC69D32067CEBF97E816842E70,SHA256=3C9E1C7989EA0D7E66F2E90BB19A675451B1BF5972DC4D8200B520BC6FDBF3F7falsetrue 354300x80000000000000001314602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:00.615{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000004296066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:08.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:08.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5BA4707AC3C227FE1638C5B1B979CD,SHA256=F51BBBD94847EB29E2871A6EE91E5BED308FC30067B8B9C5C216F6932034B513falsetrue 11241100x80000000000000004296072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324A3AB48F77270B0E4A68E7F0D49CE3,SHA256=5695F28914DCC2F0AEBC553F8D0A286A2662D688A7A8AD0CDE34E421CFF3FF2Ffalsetrue 23542300x80000000000000001314604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:09.011{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33114582F5466051ADF23724AEDE266,SHA256=1F17DF2314354BE1F3DDE97759BF006F159FF36F3A4769814D224A87B1D79450,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1ECEACFB534469332C1D291AEF304A4,SHA256=90C2B6DFC899D7C18DE064A52C019C141CC832EBBAEAF0BF09CF18B0F109BB79falsetrue 11241100x80000000000000004296068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:09.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50863ED2F246E84917DC886A3C7C182,SHA256=A26EEA16C701D63BE9D514F5BB46DDD0CE1E0AD67F659C0F5F64051D090DF37Ffalsetrue 23542300x80000000000000001314605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:10.026{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873DECFBA0F75341611AF1BDB06CD6F7,SHA256=51DE5173E0DACB5BA6FEF57EA0FCE1C46C5885C69C4EC5503472B7C0C903374B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:10.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:10.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B984E8B495AF72ABB49CB6F00DB312CA,SHA256=D207DF8417E0E1EE067A6F407746AEB7837A55B0303BA1720EA9DD5823F983DBfalsetrue 354300x80000000000000004296073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:29:57.573{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63727-false10.0.1.12-8000- 11241100x80000000000000004296081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=748CAAFD493D7F4CEC1DB8798F23601C,SHA256=DD3411EA6D76D53BE4556B7370928E7AA959476C0B81B56815B78D8651DDA18Cfalsetrue 11241100x80000000000000004296079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=683ED6CCE91F57A7C3D6AA9F4B7BBA69,SHA256=469A0183EB39837CB32F78F81047F79E7C4FF1320F335E304C2EF2198F9D6AB2falsetrue 11241100x80000000000000004296077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:11.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D9E8C2F38706902EB4632BCF46CBC1,SHA256=BA6723FBFA10B9E003A9107B17C63E7B83DDA23D2AEABF6618050999646C9EF9falsetrue 23542300x80000000000000001314606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:11.042{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA5497AA7DA52C820E4272A39F7A783,SHA256=116175B192AFF07C41BC3256ED2ECFC4FFCF3E202BF5F77E590B4CAAF3A9B65A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:06.426{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:12.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237B62A83F19DDD3B65954C091C65D53,SHA256=C5D67EB0508124A41DC04E1C57C54E889BC5BA3707DC1169A784FE2B23FDB573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:12.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2584AF80458CB5A9FFBDE26BC8CD641B,SHA256=9CCA24D6440EA65C122A6B40B787AB9CA40934F4ACB9A2A7872822523030D713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:12.057{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2931ECBED1A2AA4611FE7C6CF51F929A,SHA256=5BC90664E05E46F67E21C1FADE69C8C1DE441F87521D74A5ED70E20DFAB59A90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:12.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:12.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D36032777673E0DE2A5BD181FF7A1B9,SHA256=972506EDFB6E63431EDCDE56EE629744F6A94A2F24101AB3627BA836491D425Afalsetrue 23542300x80000000000000001314611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:13.073{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC2248A5199DEDC04DECE63D1C8C428,SHA256=B1F281D905D520367E60193604826A87774520D3E7A64971F09D07E6AB243FCD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:13.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:13.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE56F1D4E901353BE54881FDAEBDF0,SHA256=2D08A87D460330A5398AE5B36B07A7FBA04688C22E9622466E0B1C5A624B0036falsetrue 11241100x80000000000000004296089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:14.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:14.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E988FE2B76197CD29D55A1102C72FF1,SHA256=B37C21B7F8A39BF6EA7AC31BF0A4408D6F3FA5BFB2DC964024F90A983887C4E5falsetrue 11241100x80000000000000004296087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:14.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:14.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F11DBBF033C02C0AF381E7751098574,SHA256=1DDBD808B70CE93F20A83689952CC8E44D2739C56ED41CEECB41C0968C5906D2falsetrue 23542300x80000000000000001314612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:14.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70D5607C6F9DAC7BEC7E3217FCA65B6,SHA256=BEFC06FCD897D944A91243138FC1395C8647E48E41CC68428581BE7E99BBC8FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81AABF0425AC8E90B902D5C4483D837A,SHA256=77A712D1D071944F4F8B3AD32FF1B896CD9C365E8245228D6DB9175A1D7A8545falsetrue 11241100x80000000000000004296095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0920F45F1B9F6F7844ACA81A8B6DA3B,SHA256=1E2AAA0EF49A1E47D686E29CFE6E443CF089FAAAF09420A9640A1F2F1F32A44Bfalsetrue 11241100x80000000000000004296093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C298406E9EF64CC0E952A3E1BE4F432C,SHA256=C7731744C7CF868CEE52077B33F9F00F357F44F7502928CB7CD6127E8B44CC98falsetrue 11241100x80000000000000004296091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:15.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815E8A44D4D52700DA97AE851AEB5AFE,SHA256=B34DB768C706C11C5DD3616CD7016094C122C8BE59474FA1DDE950D3DB654A03falsetrue 23542300x80000000000000001314613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:15.104{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97581A2CBCE99FD93EA7F476A456C742,SHA256=85A11FF825E22223653F4A99E7AD52F277D0E78ADAF09A9DDF0695C6A4B1F38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:03.636{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63728-false10.0.1.12-8000- 11241100x80000000000000004296101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:16.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:16.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAA76FEA5427C5FAA3811DA6D9A59661,SHA256=DF356212CC6C0196A55C34F4F320117DD45080ED1C6C8879E499D4A4BF32A851falsetrue 11241100x80000000000000004296099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:16.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:16.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068BA7632B7DAB046AD88987B084B821,SHA256=BABAFCDA5B47FEEADCC382F4A92ADA5DC2C1FE7F80AD7077A919A44A525F156Bfalsetrue 23542300x80000000000000001314614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:16.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC36065AEBB2CF6DD8FC54AD944100C7,SHA256=F486F553AC857EEDFF47FDC2186E64B1B6E59F9E6A53B0191DB0A606FAFC20CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:11.520{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:17.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237B62A83F19DDD3B65954C091C65D53,SHA256=C5D67EB0508124A41DC04E1C57C54E889BC5BA3707DC1169A784FE2B23FDB573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:17.136{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939F03B2EED4DE8A65442914075DBE38,SHA256=741DF845411570A464927ECAD09BBF72FE2685D61227FBF4C8EABB801AC56D7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:17.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:17.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD0934E3D26BEBDE570BF4DC7CB4DA6,SHA256=351BB5667946257E325BABAAFDF424598251988E528FFFE93AEA67100F84688Dfalsetrue 11241100x80000000000000004296104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:17.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:17.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E98A73318C001F9AB551AB969DEAAD4,SHA256=19367FA845137DF185393C08C3DC250E7F731DC63F87E7B45600E555B23CAB35falsetrue 11241100x80000000000000004296110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:18.761{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000004296109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:18.761{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4C5AEA9F7C1A109EEA5AF4AF3436EF41,SHA256=8028B6AD8610FF1E90352C0950678618B28B1137163378A3D0F084D97E5C8CB0falsetrue 11241100x80000000000000004296108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:18.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:18.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EB76D24967315FD7BE4EE045200E9A,SHA256=1C51D43B6B332D5CB7A2D814F502978834C719693A7486894C15AD62DDE8003Efalsetrue 23542300x80000000000000001314618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:18.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3064F35EC125CC43CFDD4103CD0550BB,SHA256=06940E25B82BC33239D3EAA674A96773C9D560571404FF978F2C7E4A80EFF555,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:19.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:19.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A12D42398A9FCDAD2D5DD11D6C381F3E,SHA256=5FB5E184761BA53E688C65A8F46E7CEEEC89D8408157D4A845B1D3E93DA319F2falsetrue 11241100x80000000000000004296112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:19.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:19.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAA03E7E7DBEA14D5EE4F5DF9A95ADE,SHA256=17BDE2BE2244EC49DA48C33D5B0C3EECE8690FF3AAF8CA43FA29CF3D1404D909falsetrue 23542300x80000000000000001314619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:19.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5467BA50601DE06688E7732406C2BD6D,SHA256=98DE9F9F068DE18B2347AD4F2B23F12B1D72EC23AADB7B8281C10413601AEA7A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4984FC3246674C929075AFF62F930547,SHA256=2E1F2B988DF46947C8F0C48D1B227BB2CE0FE56A8FCBBD51ED2CC822401A9D53falsetrue 534500x80000000000000004296182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.886{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004296181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.886{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004296180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.886{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.886{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001314623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:20.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA588853693C0CCE28CE2021F1050AB,SHA256=1C98473EE5BC134C81E17D4586B5D35DE07B1E138A6F01D1E2497D90FD0B78AC,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004296178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004296174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004296172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.776{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000004296167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000004296145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000004296142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000004296141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004296140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004296139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000004296136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000004296131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.761{4DF467A6-041C-6138-A0B4-00000000F001}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:20.761{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:20.729{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 354300x80000000000000004296121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:08.651{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63729-false10.0.1.12-8000- 11241100x80000000000000004296120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2510684FD92A6E4C9EE2F27E9B651591,SHA256=DF062D552870B19BB19C702679F7FA50A40A1C92622307CED1EC66AA9BDD01E6falsetrue 11241100x80000000000000004296118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F9B23DADB20C34A6F5B64D97D3E50DA,SHA256=DFFBD334C9228CD634DE1E752D1781A994A71612593C6B6BADEEFBBEE2EC6B20falsetrue 11241100x80000000000000004296116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:20.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0920F45F1B9F6F7844ACA81A8B6DA3B,SHA256=1E2AAA0EF49A1E47D686E29CFE6E443CF089FAAAF09420A9640A1F2F1F32A44Bfalsetrue 10341000x80000000000000001314622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:20.120{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:20.120{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:20.120{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000004296304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.979{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.979{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004296302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.979{4DF467A6-041D-6138-A2B4-00000000F001}64083088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.979{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.979{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004296299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9328D648ACD839FCE56B5EA8074F9777,SHA256=9D680C1B08716AAF28412AEC7C9AC5EEF20510F636A253403E547A48477118D5falsetrue 23542300x80000000000000001314624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:21.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3C862210CAF2539F88C30A409052B2,SHA256=BB6B2D4080CA31AD93E23442890E5FC9C597E8425C321E5D5812375C8F526A7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFCC0ECDD9DD34DA405752865419EA3,SHA256=2AAC35D8F7D2B64CC5691387885E2095657A5DFD5E9EA4B4CD4F09160FB252A3falsetrue 734700x80000000000000004296295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.870{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004296253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.855{4DF467A6-041D-6138-A2B4-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.854{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F9B23DADB20C34A6F5B64D97D3E50DA,SHA256=DFFBD334C9228CD634DE1E752D1781A994A71612593C6B6BADEEFBBEE2EC6B20falsetrue 534500x80000000000000004296242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.464{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.464{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004296240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.464{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.464{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.354{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000004296201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000004296195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.339{4DF467A6-041D-6138-A1B4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:21.339{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:21.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FFE2894165325F6C66809B2FA4F0D03,SHA256=12A3B96BFEA44E20DDA24FC956D7AAB3D37AAFF18ECF00E625AF2CA1EAEDF83Cfalsetrue 23542300x80000000000000001314625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:22.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF394E149BB93DDBBD389B9C3FBF74DB,SHA256=E8F7C8306AE3CAA8C0F84B977D98A237FDBAC7BBED641F262D9093F61DB6ED0F,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000004296362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.651{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000004296361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.651{4DF467A6-041E-6138-A3B4-00000000F001}5760828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.651{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.651{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004296354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004296352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.542{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004296347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004296332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004296320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000004296315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.527{4DF467A6-041E-6138-A3B4-00000000F001}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:22.526{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:22.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAC1696BB8EC6201D7231036CC1930CA,SHA256=7B3DDAEA226EDC699DCCC3AFACA8A7098301B9F0835F76F9C854E37A480BEFD6falsetrue 354300x80000000000000001314629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:17.535{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:23.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CAAAEA2B2603D68DCB31F033B32B336,SHA256=A4A235F6C9894048837AE32A45CA192BC99805814EB262DB4A73BEA028689F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:23.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8FFE67FB531BE951D8A2776FEE54386,SHA256=5D2171A369FB37DF60B72D3726FC59EDDAF989EA64D444F30E96C31C3C6EE5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:23.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FACE76E5BACD5D301F4E4F5D9885124,SHA256=CE3A67D8AAE02A6916AB3F77D2FC9B4B2A964074C7DD041E570D8B1EB138CDE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D83E54E6F9A3A5079F78C23836927E,SHA256=05481F2B45232304CB6374135C145E44C3E3BD91CF820D24FEEF3EF58D1119B7falsetrue 734700x80000000000000004296474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.886{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004296432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.871{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.870{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000004296423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.323{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.323{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004296421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.323{4DF467A6-041F-6138-A4B4-00000000F001}69125296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.323{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.323{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004296418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A573763C719BD7BF3D7C9A669848A,SHA256=D08C042CF6E357AC69D22B6F125CCED00690287EEA051202F599441D531177CCfalsetrue 11241100x80000000000000004296416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1146B4524125F9B89710FBFD2EA0D109,SHA256=B330B34C4EC9EAD92A2331A70B98A8BD8DE28478550A3DBBC27FBD9E87D944EAfalsetrue 734700x80000000000000004296414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.214{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004296377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000004296371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.199{4DF467A6-041F-6138-A4B4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:23.198{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.964{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000004296544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.964{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000004296543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.651{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004296542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.651{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004296541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.651{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.651{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004296535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004296533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000004296523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.526{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004296505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004296501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000004296496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.516{4DF467A6-0420-6138-A6B4-00000000F001}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:30:24.511{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.511{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEA238953D675DBB0CAA13C2725FF7B9,SHA256=4D46BE8B717A07FD38CFBE85B3FC03B3408E1758149CF867B02CC1E2234E4B00falsetrue 11241100x80000000000000004296485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7763964F012DB8847CDF5A34CE3E2FA8,SHA256=858DFE25CB07760E95DB90963E63EFA8FB428080E8DD868F2D44B86E76111155falsetrue 23542300x80000000000000001314630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:24.245{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745B57C56ECBBA2CC8033E13E70034D3,SHA256=EF50A81B08CE63410CDD0307E3F7342D2C0363B986ACC8BE8E79AD1FF933BDDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:24.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF279BBDE18E246D2113C6647CA5581C,SHA256=FA03E3B861020F8C6B1C32D788AD77B9F76362CBE1D191FBA7A9AC59013725BEfalsetrue 534500x80000000000000004296481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.995{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.995{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004296479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.995{4DF467A6-041F-6138-A5B4-00000000F001}57726884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.995{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:23.995{4DF467A6-041F-6138-A5B4-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004296552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC537D30B8626757134A0BE105E1247,SHA256=4BECFF21D74AC4087A6089164481B9AEA432D5CA6695AE606C7FF0F6D474E9F7falsetrue 11241100x80000000000000004296550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B7010A37F01F2843DD02814DB87893E0,SHA256=4E38646442920FBD00E4D2C30D9A04EFF5D75C325D4027A43159997AB845E92Efalsetrue 354300x80000000000000004296548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:13.667{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63730-false10.0.1.12-8000- 23542300x80000000000000001314631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:25.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A7AC779B1BAAA7FC66E498CEB5B329,SHA256=16846E1457ADCC21E63AB2BB5DD453698436A8CD56AD420BDE1DEB6E48EA4D56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=265E6403C34DEF2097074D97B2A62D6C,SHA256=5C5835B253609CFA6D8DF61E5CC03344607CCACC58BAC8F892DDF9F9597994A9falsetrue 11241100x80000000000000004296559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE13E1494D19596B0A5FAE4AD15C90B,SHA256=B28E83F60C072D9B51375E20600CFAFD04AE0557B44263DA4EACF457EB5DDBEAfalsetrue 11241100x80000000000000004296557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91956DAC8FBF8E5A162F63BE16CF1B0D,SHA256=DE69BAC8952C68F46FC4F60648A2351EFCF39C7440F78C604B36EDD6D6092967falsetrue 354300x80000000000000004296555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:14.385{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63731-false10.0.1.12-8089- 23542300x80000000000000001314632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:26.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9698E6DA638A881A861C86B26E7A9A25,SHA256=DCCFF08690700CD2614C6AA7D33F48B2B1EEDD2DABE2B3B3368FE8FB8115FB25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:26.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=975D179801F9496B39EBEBBE268955C3,SHA256=B1816B022F5B5A093A1CB199B14475D164DA75EDF3494446253B555E6FFEF53Cfalsetrue 11241100x80000000000000004296563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:27.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:27.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C757EF8934479B8C38EC6FC11E05E0,SHA256=4019EEBB0F9E12A705C6BCCE81B5A94DD12E3EFECB425AE3D6890233CE7AEB7Afalsetrue 23542300x80000000000000001314633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:27.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8874785E5F41BD4C9E1B21EB60DD3DDF,SHA256=5442FEE33BAD61121188513E5B40CE17818B77D442AEBB5FB0B9709A6258A993,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:27.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:27.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=214EC44E5FA6485B9EF63292B97B7135,SHA256=F92371C7BDE73962B3ACAEA4409CCC4A393E9D76F139B2534E60848DC37FDB11falsetrue 11241100x80000000000000004296565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:28.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:28.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3A06DAC94ADD589DDD714655932430,SHA256=E1B9251C903CBAE4A593D854041E7B348BD01CF061266332B19717A3A3AAE83Efalsetrue 23542300x80000000000000001314634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:28.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FD1FCCD068F6C4B073D4842973E81F,SHA256=9CAA4337BE933DF4C2316EEBE0B538B8E485077D07045FDC8F666B9732F1A5B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:29.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:29.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673C063E276A91869D96D811BB0041BF,SHA256=22A168DBB8A71984E5550973F80BFE3D4FF518924202D10B1901CAFA144B641Cfalsetrue 10341000x80000000000000001314652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.779{AEE49BD1-0425-6138-C9B0-00000000F101}34085424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001314651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:23.554{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001314650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0425-6138-C9B0-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-0425-6138-C9B0-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.654{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0425-6138-C9B0-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.639{AEE49BD1-0425-6138-C9B0-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.310{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEFEC313AE4CD33B10AE8DE451E2B6C4,SHA256=467D9498BF60F7C1B329FAD802470E499773B279D4DE2D55CDE66A3676094856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.310{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CAAAEA2B2603D68DCB31F033B32B336,SHA256=A4A235F6C9894048837AE32A45CA192BC99805814EB262DB4A73BEA028689F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:29.310{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CFBFA81C312A6482B97EC9278D1B01,SHA256=FB004EBD0371FF7504C395071B73F5AD8CC943E8D4725EFD236A75145AB2DEE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:29.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:29.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D03E8EE38B64181320C6C203CF8DDC0F,SHA256=F65D37901D9ACEAFB0EA71C358FFB569B5CF485072B71F552A07A5D5470E696Afalsetrue 11241100x80000000000000004296573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:30.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:30.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF482B0E5B0E3005AC419558C567AF4,SHA256=C97B9CA2E7B553AA00EF3A54687C8D383678E53156847DE5A45D229D0EE7ACE1falsetrue 23542300x80000000000000001314667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.717{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEFEC313AE4CD33B10AE8DE451E2B6C4,SHA256=467D9498BF60F7C1B329FAD802470E499773B279D4DE2D55CDE66A3676094856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0426-6138-CAB0-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-0426-6138-CAB0-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.342{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0426-6138-CAB0-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.327{AEE49BD1-0426-6138-CAB0-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:30.326{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906F3B20CE77071714EE24F809E1BE8C,SHA256=C6862888AC4AB75267B951AEDD37D676DA818EB941FBB86E956DDFE3215937E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:30.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:30.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A6FC7793C915BD99FB8D8F2482034CB,SHA256=CA24A8C9EC71A18C6E5B4925491341060D4749D97D7868DE295C28FA90DB68B3falsetrue 354300x80000000000000004296580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:19.685{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63732-false10.0.1.12-8000- 11241100x80000000000000004296579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614BDD18A8B954E17D354CB59539C55C,SHA256=CA3EB170F6F07E5F5FF033D54A7803208324555420D80DB7E10535BF2A5E3EA6falsetrue 23542300x80000000000000001314681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16895A74CC56D8D5049C7C8A589D7F1F,SHA256=9CD3C3CDA5C54316E7144229EF6B94047BA9E6FFA9C4FC9793C5AF1C761B0A7A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BBD75AE08C19AE376E1E3FDE19DC3E0,SHA256=8B0310B644456E7F597533854672510215055C518FFCFC96F988E965FCD11DE0falsetrue 11241100x80000000000000004296575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:31.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1B0FA804000E6EAD74B6D6B470D1EF3,SHA256=820AAC0982D660DDB5416EE1FBED5ECC5E64E4B833713B2A4ECB93EE597E2F01falsetrue 10341000x80000000000000001314680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0427-6138-CBB0-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-0427-6138-CBB0-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.029{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0427-6138-CBB0-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:31.014{AEE49BD1-0427-6138-CBB0-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:32.560{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBC3064E768924BCC30F00D8C7C4152,SHA256=85BAA2EC6AC8ABC00CAD9791B5FB2569F5628F8BF7CD783A4CC1AEFDC24FC218,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:32.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:32.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6CE234EE0EE0C128946BA7064A823EF,SHA256=6BF4C0BD60FAF1F41F5B3FF13318D6F01936C473571ADFFBBB7ABD0037F15658falsetrue 23542300x80000000000000001314682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:32.029{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96070D6BAB7C3509CFB4C1DEEC5CCF9B,SHA256=6FD44BDF21B50186BD546C96E8FC120BED60A8E61E98A707660458AD2ED25784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:33.576{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F4C6D794C93F705DD98F66B79ECC93,SHA256=532A07B2879B0CBD84D13EFEA3E2695648602A7036EA590CA3D2E18264F3B3EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:33.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:33.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3445AC272B783CB134B756047EE9F39E,SHA256=C64010D9763D2A4CF3199EEF5F003D0081F4AFB81019ACC657933CEDC0C4BD73falsetrue 23542300x80000000000000001314686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:34.638{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5EC0C1F2CF17F54F9015142BE8078C,SHA256=8B352D73BCF2735801F6B4D931F93684D8551E8381EF424E9E53BDDEFAF20D85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:34.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:34.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB6AD7610C32C02CE39133C24FE9292F,SHA256=CB647C880FD28AB1E0624E2438C9E65163A24E4623E1BD8352A44F109D26E0CCfalsetrue 11241100x80000000000000004296586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:34.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:34.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C9B5E4D0A7710E638CBDC6B410288D,SHA256=D57D2C92C524E5C3C4B8B6CAB623D0D0156D380A81289F5617312344F9721AC6falsetrue 23542300x80000000000000001314685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:34.263{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB07A509DE361824DAC1544CC7295550,SHA256=948FAFDE1CE853C0970E066FDD17B631ADEDFE953B5170EF34F6F240CF73AD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:35.654{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C3A50ACDCDC5DD12C7EA9C2C5BF710,SHA256=A14EC5EFEEC7D4F412C7AC213A41B0B553E21338C41745D386F0A1FADA37739A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:35.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:35.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A37D66B179DEADBCE10F8F4FFE03808,SHA256=D7C3D69FDF6EF31A696B30307D2B2C94F8FA375AC24EF0B68C63944DDF15174Ffalsetrue 11241100x80000000000000004296590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:35.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:35.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2AAED42235FD137E7A259F41005352,SHA256=8B4E872A7C495E789567B903CD873F4E0D77B4FA67F5D2B480B8D87C8E5539DBfalsetrue 354300x80000000000000001314687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:28.570{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:36.670{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30124C0B9B556C864B47E21FBA9A8BE9,SHA256=43FE459B4A06044E052A9ABCAC3932EBA72254382A38687E4CE66A1896C46CFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:36.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:36.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45DF5F603E769F5FC717BC126475625D,SHA256=12F18DCD4C13BF70E99888EE47CDEB9384835212733AA199698053A6839F1685falsetrue 11241100x80000000000000004296594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:36.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:36.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1598116A6C722065531CA5AF657A3FD3,SHA256=340E147F4E5BF883382FAF6A9D8CC4D8A84CFA423FD63CD05D3BF560FB87E107falsetrue 23542300x80000000000000001314690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:37.701{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3412A00CC5087625D7960D9DE897AFD0,SHA256=666C3E99919F2D39E505C13EE59FAB52BBE2349F555E82A54C44ACEF07BC07D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=777AF47BAF24D246ED7FF2B487690080,SHA256=F0957CD9EDC4A0D51567C8E72B654C2FCF084C043F14AA4E6C4FAC198E1B636Dfalsetrue 11241100x80000000000000004296602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21221762ACB2BE8BD84A1165AB9C46E6,SHA256=A314E58DB3482E3A5EF747B56E3CEA341913B7F541556467FF6E9D92A42DDE01falsetrue 11241100x80000000000000004296600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227921C4554EBBD1749D583A17D6FB43,SHA256=ECF3F5AF554B3EB1BB98EB857E40AABAC8D2703F2392569FAAAF6567A49D9DBFfalsetrue 11241100x80000000000000004296598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=422F9DD259B929777927D8591179FF46,SHA256=4DF83BEEAABB19FEB6D306D2B67CE53D27FA3B7C7BF29A68F288A4837F0A1589falsetrue 23542300x80000000000000001314691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:38.717{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AF1E43899C158F28678CD28DE71EA1,SHA256=5582A4CB2829033F2063D9C4AFF3C11ED1451FED558B8CCBCFCB3BB27A1A0841,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:38.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:38.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D985E0608CCC3EC088B2E37DCF8C99,SHA256=1D2C034FB9DF9A245641C1379FC6323A75B9AB068F84D9EBE6904060ECECB2B1falsetrue 354300x80000000000000004296605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:25.482{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63733-false10.0.1.12-8000- 23542300x80000000000000001314692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:39.748{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861C8B29530E2E9608B79543382326A5,SHA256=BEF3DA77CF7C6DAE5F3A5834BDBFB9F9ABC89C1D5D5893E172F581F25B5F53D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:39.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:39.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6DB0D8F42B660D23F2229DC352410BD3,SHA256=3CF69B5CE3DDAD898AF61F16BDC04E9BC4A3AAE157F5111CF77BBA375B06CD3Cfalsetrue 11241100x80000000000000004296609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250E2C37835EC9BAF438333479948DB5,SHA256=0BC050023E8C117557310D901B5A20A78B86A6A91CC3EB4983982C96D0F87E71falsetrue 23542300x80000000000000001314695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:40.763{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484A01D8A3EE6E1FD5B9979CF7D3E6D1,SHA256=DCD87D352A6490AC6C11C9714B84C6233878300B3373C5A8BDF3D9777978EB00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:40.545{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:40.545{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA170C937499CA69AC6DD99037D3681F,SHA256=B32291E1C2F20169EFF3424B23796910754BD2F6A34590CE47596D802D0BA8D4falsetrue 11241100x80000000000000004296613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:40.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:40.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F2D97567ACDE69E72C492408807E31,SHA256=0F4C2584D5A9BA548FFDB48930E6AF563FF8183453FFAC77FC67B6BB8BBB56B2falsetrue 23542300x80000000000000001314694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:40.217{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F97F571DEA08416B5604B62B3F3A3E,SHA256=BDB0795651C6218A5AB5DB5BB312660576846C36C84BFDC8DE9FC51EDA257DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:40.217{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=969426E322891240C9823CB397140BBA,SHA256=95CC21932EE69DBC50A1364E9616B85557CCB6F0C2062CA4C7C96249F90BA1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:41.779{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABE680A0EEC86119D41B63A65DF8453,SHA256=C068CA731C6C357DA3F8FFF884C434FA3A0D18E9C33DF03AAF34045E20A03848,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227921C4554EBBD1749D583A17D6FB43,SHA256=ECF3F5AF554B3EB1BB98EB857E40AABAC8D2703F2392569FAAAF6567A49D9DBFfalsetrue 11241100x80000000000000004296622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0ABFE3F21F176EA90C1D0A427DF158A9,SHA256=28C9EFF6DC406606BEC393E4E09F7504189586DEE08646E3B5365906E08356D9falsetrue 23542300x80000000000000004296620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.532{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-6144MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000004296619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.531{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-61442021-09-08 00:30:41.531 11241100x80000000000000004296618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.531{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-61452021-09-08 00:30:41.531 11241100x80000000000000004296617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D05AEA06F1E47ACAC54C145366950FA,SHA256=965CE941A0B293E6BBADD5C88F10C0A53F53742859BE5A4E31EC9ED2B45A0D40falsetrue 354300x80000000000000001314696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:34.570{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:42.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD31E2F7991F0A6E15F1E7AA4B7A2B3A,SHA256=BD623DE2AAE78BB9DB5898FC5D3685905BD5430C42DDC57C939A665857E63DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004296629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:42.547{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-6145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000004296628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:42.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:42.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE6897AE23EC70B578F4F6A60F369D,SHA256=7C9B4F775520B41BB0EC0773909F59B71561FF03A83B545984B5AAD1048ECC09falsetrue 11241100x80000000000000004296626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:42.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:42.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AADACD87E260404169A6154151801860,SHA256=9064CF1DD00449499868C8639C1EED4E7B3CE4A855BBA7D349BF453FF9023513falsetrue 23542300x80000000000000001314699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:43.810{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1959968FFFA8DC748C515A54182C8,SHA256=4AF2EB17E691E51393C80C113D9EFD2F79D1B1E93F56F2E287A7DEB01F618128,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:30.483{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63734-false10.0.1.12-8000- 11241100x80000000000000004296631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:43.359{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:43.359{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D4A226BE6090A718A4AE9B3C542078,SHA256=15E06D0BCF8CE284E922B04637369F57A780D0404B43FA30F12F21276DE4D073falsetrue 23542300x80000000000000001314700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:44.826{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942FF6C513F38DCD715410FDC22BB1CD,SHA256=93B03BF32B67161E8BF25AC9ED82A1C4D5569B7EAD79EFF757E43C7C59CD609A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:44.656{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:44.656{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E5A10C3E240E17E78AE882474FE3A2E8,SHA256=7257EFD231DD81E3486877EE689C8B1EF706E05F151B7572BD3D094D4676409Efalsetrue 11241100x80000000000000004296634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:44.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:44.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3D2F42CC1F438213FA2005DCDD21C8,SHA256=D8AAB15A7E0C139A96C1147C81B0258A5B0943395F9C3ACB3426F53379D27E14falsetrue 11241100x80000000000000004296640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:45.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:45.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1E05A13DF85BE577CB68CCF1EE10582,SHA256=750224FCA6B5ABAC2A679B7B2AEBB4CD456368265E40E66908EDDFDB54C63611falsetrue 11241100x80000000000000004296638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:45.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:45.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1726B855AA5A9685884E699E5F12A7EF,SHA256=0308216E563897705DC9528AD7E8C4D2ACA6EDAF61EAFCFFC11D470B06A8E990falsetrue 10341000x80000000000000001314730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0435-6138-CDB0-00000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-0435-6138-CDB0-00000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.904{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0435-6138-CDB0-00000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.889{AEE49BD1-0435-6138-CDB0-00000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.842{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A1F6ACED6F7C0353B417951DCD8B50,SHA256=75D6E8ECA75F4F48AE00F209AB4796C6733A6EF59296C2BA1DAA3A0F0E94F633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.326{AEE49BD1-0435-6138-CCB0-00000000F101}55446136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54D78C7EB87A944968DFC6E6221C51DF,SHA256=40CD032BA08E4303B2C31207E6C5079FC9E39A582CD01B8426E0C9F979356C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F97F571DEA08416B5604B62B3F3A3E,SHA256=BDB0795651C6218A5AB5DB5BB312660576846C36C84BFDC8DE9FC51EDA257DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0435-6138-CCB0-00000000F101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-0435-6138-CCB0-00000000F101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.217{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0435-6138-CCB0-00000000F101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.201{AEE49BD1-0435-6138-CCB0-00000000F101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004296648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBE8E11ECEC938530E155E50BFB319C,SHA256=0774DE0C252C0A8A78BDB2AD4776A378D2C7FE59644CA6F8A25CD8969B65F6EAfalsetrue 11241100x80000000000000004296646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40816D59D5547C57D52757E85A8CAF87,SHA256=17DE69FDB791C345373524C8C7991C42594AE2294AEDC27ECE88B3EC65170A74falsetrue 11241100x80000000000000004296644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C440C0D471986610223005A02D0743,SHA256=8D3811FE35A2C4C78FE8D61D3685595F09012095E09AA559BFCC5506ECFCF063falsetrue 11241100x80000000000000004296642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:46.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E54FB9859211B4E7A4ECA21140A9B79B,SHA256=9D978FEEA37F77A14AF37C432711E646211FCC8C6DFF3815C9C8861C593099F3falsetrue 10341000x80000000000000001314747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.702{AEE49BD1-0436-6138-CEB0-00000000F101}42365900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0436-6138-CEB0-00000000F101}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-0436-6138-CEB0-00000000F101}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.593{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0436-6138-CEB0-00000000F101}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.578{AEE49BD1-0436-6138-CEB0-00000000F101}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.561{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54D78C7EB87A944968DFC6E6221C51DF,SHA256=40CD032BA08E4303B2C31207E6C5079FC9E39A582CD01B8426E0C9F979356C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:39.616{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001314731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:46.030{AEE49BD1-0435-6138-CDB0-00000000F101}45564744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004296652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF804A6DF88ECF61693073C4B71C7FA4,SHA256=9F7DB10DB4BBE1CEEF9FCED249A74957360BA85A646F6EF7CA9027EB19FA2B5Dfalsetrue 23542300x80000000000000001314749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:47.593{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D95E67DC23A6BFBA855677729D6DA6,SHA256=F1041ABDA1ED0AF789453524A1DF3441760750AFB678229C98226191C57F43AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:47.030{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA95503B8EF38847FFC1F71F44D66239,SHA256=9E7BA7A850973B8A29A414D2B206FAF114FF3839D9DBB8A57F2E7D8DE465B871,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F9BD3093DAF3A9765F30D6752630A4D,SHA256=862801C8FEAD79FBCA2805095A55B7091B7305C6E44FBC1AEE1A315BA07BC208falsetrue 11241100x80000000000000004296657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:48.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:48.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59956A443EB54CC33E5E1161B009CA91,SHA256=AA96ACD115BA0786F0130E6CEF4A6C8B37539C2A3558108942A530419CBCE68Dfalsetrue 13241300x80000000000000001314751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:30:48.171{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a448-0xc5138e1a) 23542300x80000000000000001314750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:48.046{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99F7ECE83A15FBF9F7A0A408C09605A,SHA256=13299F3A6C83716A4D2B2B73C24592C6AA7738065FD91E81112AB9D91E162C26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:36.514{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63735-false10.0.1.12-8000- 11241100x80000000000000004296654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:48.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:48.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBE8E11ECEC938530E155E50BFB319C,SHA256=0774DE0C252C0A8A78BDB2AD4776A378D2C7FE59644CA6F8A25CD8969B65F6EAfalsetrue 11241100x80000000000000004296661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:49.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:49.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F2B483CC27D41D42CF2F72A12A6912D,SHA256=C00C4901B532ED2AB3265AFB19609FCB3E899F13D117F8E409C27FB2169849E3falsetrue 11241100x80000000000000004296659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:49.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:49.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071678DE65F903E1D42CC98C0FF5C1D5,SHA256=6215C9CC55D4DD2A0CD7E56EF1136E437C768B9E33E0BCC112433FD39FD1AAD1falsetrue 23542300x80000000000000001314752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:49.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069F8D3D4B5E1D605C85975D8748C824,SHA256=B1BEFE737EC0CEC89CBACE4C9428930FB0B4F69CD43B08302D51FA739190454A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:50.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:50.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A7A3F3A15D2C2D01F66928DB414CEC,SHA256=F77961DD19F358CAB3FB4F1A4CAE8FBC5A999B00485EE607A62B88BEE34EB0CBfalsetrue 23542300x80000000000000001314754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:50.608{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:50.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703F5A5444B4AAF3FD45D80B79CB64DD,SHA256=54D1B2D362FFC9D37EC69899356124104DDAED756CB4A064F25DBEB240BBC497,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:50.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:50.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE121C4B40E674BDA9216A346B9CCBA4,SHA256=AAB1BBCAACC8F4300390747AE28F0D3F547DDDE37715678B4F2443AA063EF6A1falsetrue 11241100x80000000000000004296669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:51.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:51.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F12DB57256BB08CF831D5B3C3D0A57F,SHA256=73A661C06FE01DCE4C58EB8E53EE784E5573EA4ED642D44454C19FD590A27FACfalsetrue 23542300x80000000000000001314756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:51.124{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33287F3B31B7FC263B81CF195D1C2F4,SHA256=6FBF1FC48FCD6E2D6F4FAACBFE4F2A3BC1946CF3AB5FE9D96B954CABA3A7D999,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:51.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:51.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E69B9B35EE739EA9D3040A65F6555E65,SHA256=3F52F65AFDD4950A6FDC1183880FDB761B9CD1D2EEAADE3355428BABFF777129falsetrue 23542300x80000000000000001314755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:51.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83FF12C9169CBF7448EE77B7674A497,SHA256=574C307641746630D4C08B19FDAA3DA4F43B438EE3333B2AB489EE76C2755B92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:52.718{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:52.718{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257711DF33DE0DF613856392791511FF,SHA256=C30708B4122F106DEE42C47285D99C01075A1DB3C29D3925FDAEBE4BB29839E1falsetrue 354300x80000000000000001314759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.946{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001314758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:45.383{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:52.171{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1726A4DAEEB35C47E57C9762F113940,SHA256=46ECE59A1DE96F8DA383D722847F6DAF9184AE9246BD06F78F667B0BD21EBAA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:52.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:52.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5EFC044E6CD7F4C324A747C0F97D9A9,SHA256=E72DE41B77C3A6F973002C62C66A4C6CB5DD7EECB829FE8F857BB1459270197Efalsetrue 354300x80000000000000004296680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:41.686{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63736-false10.0.1.12-8000- 11241100x80000000000000004296679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE936F1A2E37C5FB35D318339C24D43E,SHA256=51FECAF445DDD54A393EC212BE6C9F2B235645D2C88800E004A2C20F54C983A3falsetrue 23542300x80000000000000001314773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.202{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32A8888862BA76F729059F59A460810,SHA256=03C355501CC6ED3DA1B616291095E34C06D78B67CF6BB2DDCBD3DA151ED7CB44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A15647E4B0A2204451F453A849B2A933,SHA256=4B3064AB0194314643B66CC119E91E63CCE0868558863E11EC58A23A33291C29falsetrue 11241100x80000000000000004296675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:53.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B03E6FBF0FA8F5BA30DF18F56BD58C5,SHA256=A3583869812DC7327AD0944201FFDAFB3D0C9DC1A96DC38A6FCE818455285D50falsetrue 10341000x80000000000000001314772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-043C-6138-CFB0-00000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-043C-6138-CFB0-00000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:53.014{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-043C-6138-CFB0-00000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:52.999{AEE49BD1-043C-6138-CFB0-00000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:54.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E506647A590EE1927E00C41302DB6,SHA256=CD0B63A441DAB87875D093FFABB2ADC909970087C25A39952708D1D71FC8EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:54.030{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D24BDB96AB1D8CF9D3CCE945F4CCF88,SHA256=EA8EC94C72A955D39231857784DF6DA6C8C2EAC5D092462A308B454124FBF739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:55.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF553635518D88ED259979D80AC09D8D,SHA256=16905186347D303CD7B88375F54E5E36BD68E3F5BBF7A73C0663CDF639DD28C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C549BABBE7E2DD770059B2353ABC9A6,SHA256=983017EAB9F2706E7505E999E14A9B30EEFFB05FA7FE7635B8F3E9C949903119falsetrue 11241100x80000000000000004296684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=04AD43A1D7CBFBBAB13CCB953E095F0E,SHA256=465B1B591072C648F92DF2F195502B737D66013DFD011C695E2D7F38AC76E8B6falsetrue 11241100x80000000000000004296682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:55.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62276A96575DC982CC4FAF7D54DA5BF0,SHA256=D39B26110101D350414B52D625647A3CE93A088407A5EBDFA52FFAE9D96CC637falsetrue 23542300x80000000000000001314779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:56.717{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B042C78FE8E1098AB6E98D3F3D55049,SHA256=008E3C653540C169366FF703C46A588F78A73CC79B49B51D5CDEC807B9CBDEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:56.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA6956F85822F0BDAC27825C5CFD03,SHA256=FD9FC894334FD7C3C7183D9EA86ECF8A40643F19282512FF6B24D140241B3BA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:56.499{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:56.499{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F58CA958A5BC7E65539C24EB3E4631CB,SHA256=2F785E5C55DCB7CED67F176A7694CB7D9D64911A23EAE83C7D1679EC5F5B0D50falsetrue 11241100x80000000000000004296688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:56.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:56.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F1A3727019C0C8259509F1DDB19B84,SHA256=EFF328F6FD304DED84AA72C9D643A57BE681C4E1142319D68A899FDFA556A7B8falsetrue 23542300x80000000000000001314777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:56.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A29B24AEC29C5B069F7E95FEF39520,SHA256=9A4443790BD24F3295AD617C47946D60A13065ADFF542D3469F02D741610636C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:50.461{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:57.280{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68AE453691640AE7758833109F4922F,SHA256=831322DE2488291217323BAC84CC6124057DC51A63C8B14BA1030E371F9B3DF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:57.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:57.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDD724AE2F878735B3DF890DAC1408A5,SHA256=5D23709CCE1976EA34ECBBE94D3E119854F86E30C2E04046ADC037632D3013DCfalsetrue 11241100x80000000000000004296692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:57.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:57.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA2180B8983B3E15D5D13A176007F0E,SHA256=6402C90DC57C86D3686DD8B1FA5EAE58FA146C305C38E30969AC657024104207falsetrue 23542300x80000000000000001314782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:58.296{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E8330C6AE5492894687B371EA6062C,SHA256=B3449FD9B84E2D32B2A70E76A1AA4F7AE69E95C1AA0D9C05FC43293B0A05E4E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:58.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:58.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00734868E5CC92985CBE62C8B3EF710A,SHA256=0614EE6D7A4B16CA05D8584F30AD6055E689C78EB4F1F97F2C3F2560FF4CD250falsetrue 12241200x80000000000000004296696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:30:58.077{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004296695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:30:58.077{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001314783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:59.327{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC60063688A317BFEA0478301FADC52,SHA256=A14EA1A5336420A53A9D6771307C544A7BD5754B1B7E81A63FA2C8FE3BEC93F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.514{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63738-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004296706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.514{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63738-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004296705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:47.482{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63737-false10.0.1.12-8000- 11241100x80000000000000004296704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92575EFEF716CACB5448DDB6F9BFF394,SHA256=30FF5D7BE1F7E913CC69AC1E563153BACBABB95A7B91994742EF99BC2E6979F5falsetrue 11241100x80000000000000004296702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BC8D8D2A40472A0F785CB059F1FECF,SHA256=A1D08D71A5A0EE4F096BF8F6410DA39A52921BFC93FB94B66138BC0158927399falsetrue 11241100x80000000000000004296700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A15647E4B0A2204451F453A849B2A933,SHA256=4B3064AB0194314643B66CC119E91E63CCE0868558863E11EC58A23A33291C29falsetrue 23542300x80000000000000001314784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:00.342{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728C144408394104D499ECC1BB4F6506,SHA256=750CC071326CA405F9423AA1E3ACF51E42D5136D9CDAD8FC7E3E5D1909EEA455,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E82B0387C2DEBD8063E9F6EF26B89BCB,SHA256=57A4002D28A87A442900436F9E76BD56154C1C109D8D21707745E585D5A986ACfalsetrue 11241100x80000000000000004296711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0C8450C31F71A57BE7DEEBCE93EF1B,SHA256=79863D7905CA3CC04C6CB4247DD928022031CE103837C64207D748C6C4688F93falsetrue 11241100x80000000000000004296709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:00.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46C4695C1891CCD4AA4950E8A62391EA,SHA256=E7D5ED24577B12E6FB1AA4B79B6327EB1CE2E53DF540EB5AA01B3D13A6927230falsetrue 354300x80000000000000001314787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:30:55.570{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:01.342{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54376EEEB42D8520BF389B6B1A7F3FDC,SHA256=648767B379B2A4483E29348710AD0A51C8606FBB3E3BCF42B40601E64C6CB77C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:01.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:01.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=046DFD0DBC7110BBE863881A60CE6517,SHA256=976332D2F946F6FAACA7D70F8B77B56B3F027778C367AA10DBCBED2B71F96E60falsetrue 11241100x80000000000000004296715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:01.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:01.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C4BD2884F036EAF483D44D16AB07AC,SHA256=CA3B8CB3528A859B7FC9BC223BEBC1F04E680386196812D9FF60E5622B160A6Dfalsetrue 23542300x80000000000000001314785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:01.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A55552B35CD2BA3E4CAFDCB47742916,SHA256=1BE62708B09F1EB36BA516FD08FD9530BDDAC54B379167A33452BB205C062285,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DABF2B2E03C5B9877FDED040E7785C5E,SHA256=E6004A5A7AA1DD033CEF3AF559C05D6BB2C7F711C2302E8A67637090AE6D6794falsetrue 11241100x80000000000000004296721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DB83E4359E8EF5E65E255FEB13DE78,SHA256=03F71648E73B56BA7B28DF5183BE2EA6CA0B5BCB1527157AAFE9F646E6E00AEAfalsetrue 23542300x80000000000000001314789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:02.349{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1245D21182E94C317DA220941138C25,SHA256=A63B9688BF17EA108079E0AB731057C0DB872C499F650C595171B71B7ED2AE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:02.159{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-6135MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:02.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BC8D8D2A40472A0F785CB059F1FECF,SHA256=A1D08D71A5A0EE4F096BF8F6410DA39A52921BFC93FB94B66138BC0158927399falsetrue 23542300x80000000000000001314791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:03.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F3075AA42C3E57B9A2BE7B756BBB49,SHA256=3B018364DFB20638EE380BB079F305629D39322359C59477281CCF71B7CED49F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:03.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:03.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926B577E5D037B4B1D902C684EF9128E,SHA256=F418A78019F228762654F24FBA8EED3ED17A5ADA32EA5C680D844F1DE963EDC4falsetrue 23542300x80000000000000001314790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:03.162{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-6136MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:04.365{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F85A50675554ECC32FC7C4B19B091B,SHA256=5691E68B63AD52649526A3433AE5006E011F1B78A5738A10FB0FFED1398B9A93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004296730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:52.560{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63739-false10.0.1.12-8000- 11241100x80000000000000004296729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:04.358{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:04.358{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621EF6CC12C9BB5CA289BB9CAC6725E9,SHA256=58A321ABAE875C79D6F1A061101F57658E68CD883F5ACD4ECE099E5A69A89C15falsetrue 11241100x80000000000000004296727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:04.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:04.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2CE08ECEE639F71A6D808A5699E2D8,SHA256=29332EDB0CA187E9E13417C9E6DCFC358A9C896290FFFBF8CA0089341BDEBDD2falsetrue 11241100x80000000000000004296736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F3BF4CBBCE33D79447708066CEF55A6,SHA256=293EFF7137F9EAB2DF5C73C601E3734BC341F964E01F4DD83989FF796603C515falsetrue 11241100x80000000000000004296734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9AD0A6F590761CF3739F0647968368,SHA256=544CBA6D835165FD75A47B74863209645CFBD5D01601ABA96C3179829195074Efalsetrue 23542300x80000000000000001314793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:05.380{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB64032C793CDE07A447F967321D15E5,SHA256=14FF870F2DD8E78685461132F4A86D2A06358A7BA7F44AD094405B9937F1AF6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:05.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE477E0FB6B0F59809FC824C6F4D8CD6,SHA256=DAE746558C54FD7F9213DA98935678D31EB4A89CA806F273DE2631252FFDB0A9falsetrue 11241100x80000000000000004296740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:06.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:06.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1A9FDDCF512F91FD88CDF7FF362F139,SHA256=E7A3ACC4A3295304F7679C2CBF89B18849EEA9425C4BAC5D50EB1C4838C4CC76falsetrue 11241100x80000000000000004296738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:06.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:06.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F03CC5B31D616C69238E901855663A3,SHA256=6863AA357960E44A41CC1276A6EE202DB98C9BBA18CD3FD12B48DAF6E07687EFfalsetrue 23542300x80000000000000001314794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:06.392{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052DC2E5B936374432623CCDD49AD745,SHA256=38C08944E3ED56DF41713700996AF022D54327BBCB86521DC6014E2B366D0AA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3237A8600CCC6BD4CB014BFBC803EFE6,SHA256=21F274F51F6741F06CFF54FC7DB2EFF2F9928B67463441E5208FBA0ADA519BBBfalsetrue 23542300x80000000000000001314797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:07.407{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B8D788CE5A1D0824DB71468716FD64,SHA256=06530563AFD18A610CBDC8F68B786070BFEEC04828D131D2FAADBEC509FD3E40,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75D1B1A748B8FF7A00C2FD23A6E73AD5,SHA256=4AF2C0166B7001055E74292E7C6350F11FA18E37B720FEAD169E5D830F8EDA6Bfalsetrue 11241100x80000000000000004296742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:07.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15F95C8E06C1D9204C153E375D3C390F,SHA256=9B7D698D610543DB1363F3AA7B05872CCEAE1701C3AA1C7C27878B0E4E603133falsetrue 23542300x80000000000000001314796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:07.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01260F9AEAF30D023FF4E856A385D73D,SHA256=492357E24C05993FE59C31AB2D6989153C934E01C011DA04F943DF7C4E7830E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:07.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131CD5BBACE9605E7FBF4D937CDD76D3,SHA256=784C03EF57A4E0E8ACAD113C670F992FADF957FA4A591217600F636579BE2424,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:08.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:08.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8758161535DB26F3CE7712FC5A96AD49,SHA256=341412F5A58457FA304CECFF32E8990F20BD7ADB0604AD53D9C4D3FB33CAA01Cfalsetrue 23542300x80000000000000001314799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:08.423{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE365AC79DED1CE53C1101826675DA45,SHA256=BD4D26D4B6AAA96711B0D55DF9D81317F54160C41470D47BCD250762D64C758E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:01.510{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:09.439{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D7A6064808286F5046F57AADBB4547,SHA256=CC6638FBA808D286E87937C5E4B6127F83C5094D3E6B4C0A25F326730CB9D19D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:09.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:09.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=28D1177A453A263F2D561B72B0B1ED52,SHA256=3CC055C9C61CE31DD6DAC8FCD7558795282FA19B7B550F81D2CCC8792BACBA52falsetrue 11241100x80000000000000004296750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:09.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:09.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C14002408C22A70985BB445C384A17,SHA256=7D27CE5D6EF55E771534DC72D4EC2068C9DA87076656967DBF30AE1007A1EE98falsetrue 11241100x80000000000000004296759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.861{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.861{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19C63015BE387191497F52BBE3743C29,SHA256=7D5C28936031161FF41DF3A4B44306E04AF878A272026BCCC3339B5293C19E99falsetrue 354300x80000000000000004296757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:30:58.532{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63740-false10.0.1.12-8000- 11241100x80000000000000004296756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE9E0694A2F2FE2EE0EA22082AFDD1E,SHA256=A8C2444813E3432297C68F358B3F4A0E7C131F3D82372B1722828C7BC2AA8CACfalsetrue 23542300x80000000000000001314801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:10.454{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9129B6D8EEAAE66736488904F38034,SHA256=E88E4454976C7308ACDC5C6B0C66D5EEB4F8002836A47F134F3518C01FB3C53C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:10.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E64722B8188BE3B1AD17C7C221E021E3,SHA256=6C74A5CBCCDBDA2B490D0899B7326E267EB70E81A81F6E47F0E52E7A6F159158falsetrue 23542300x80000000000000001314802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:11.470{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE69C8765A90B5E2E7D8F848881308F3,SHA256=4AD7502A7C6B2CBCD07D47F668590C4840D00278551D77E6B08A4ED42556159C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:12.486{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8DF1D647C4EB76289B65BE4CA38F4C,SHA256=26762EC5730F1AE79AD03EC82CAD056DD207DA54E3EF9BBB66F57511856F7968,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85E9BD125F9DAD987178230930A78114,SHA256=2824410C94633B33B6E388BC422A04C98D441FD0912FB441C2FB58DAD5286FBDfalsetrue 11241100x80000000000000004296763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AAE720E5DCD4029FA82D5443602CBF65,SHA256=D6932CBEE7275806A10BD4BB4E84B9EA3231C4104ABAECB72B7FA2904E22A961falsetrue 11241100x80000000000000004296761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:12.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2E7D34752D8250D255E26700C04770,SHA256=988AFAD58632B88842E6215934AF54A365E6199909CC580FD97E150B22A88656falsetrue 23542300x80000000000000001314806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:13.501{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0460628D1A51EC5FC2085C11AB29B15C,SHA256=B0799077BAC2AF7F3EB04B9525BB8A9AC362B77DCB9342609C248A4AA2A4E90C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:13.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:13.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129A5BD770C248CEC906FA1FAC61443C,SHA256=700A6B9C576BFD70A7D783E3EF3F305B5EA0077FA940844A1CA4A5171BB3346Efalsetrue 23542300x80000000000000001314805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:13.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=820F8D73451999B8594C4505C1587BA1,SHA256=E1CD3746B9FD771EFE7C7E0E542A9B15B30D4B1827D49B386D3C849258C8AD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:13.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01260F9AEAF30D023FF4E856A385D73D,SHA256=492357E24C05993FE59C31AB2D6989153C934E01C011DA04F943DF7C4E7830E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:14.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625EECE1135D6358A771AE7ADFDBA937,SHA256=31BAAE6EE8730D5F4F14181AB0D7BAE6217652C7FED3FF84E39E73EBD1A68BA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:14.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:14.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99296A307CBB625C93F6E8F1CA79B705,SHA256=076A51E578C50D80A6B9F4959D7132CC07CECE4B90E50D7E48AC3374E7D1CBF2falsetrue 354300x80000000000000001314807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:07.417{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:15.532{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429723D4360D24E9753449D93BF27F64,SHA256=1EB52CD9C94B9328E5721A62AF74476E4B6C12975E58C0215653A6D67C451E8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DF7930358FF8A9513F8C591044EE488,SHA256=D4B269C4F664A4D0A6DB669A27894F340A705C7BC392B18F5E212723248D6EFEfalsetrue 354300x80000000000000004296778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:03.579{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63741-false10.0.1.12-8000- 11241100x80000000000000004296777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94117A40B90550B391C518D1F367B69A,SHA256=0ECEB56DB3B2CE6C195E43A39AB22FF31769E0B9DDF16D0052B5F16B665ACD4Afalsetrue 11241100x80000000000000004296775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57782BBDD608FEB49DBA25E2C22A1AA8,SHA256=4B97404B1E9E0920254656983784694DCC25628B0E3E7E3AD427426213AC31EBfalsetrue 11241100x80000000000000004296773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D26031581C6A70A8129677398B72670,SHA256=318E66A4D6758EA32C8DB65FC9C1683A605436CD11F9F3D2A27CB11206593E61falsetrue 11241100x80000000000000004296771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:15.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B0BF7AD72AB45E6E0A361898D3EF6BF,SHA256=84A053CFEB23AA27D37DC452DFE87945A5E53A7A103DB98716C66404F098A7A7falsetrue 11241100x80000000000000004296784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:16.752{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:16.752{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1736C51EB5A87DA464E12C258504992B,SHA256=314123A1B5532320AA072C65306194232715B3A4163B0E78839A9855FB9487F2falsetrue 11241100x80000000000000004296782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC01AF22971BAF15EA38AEC7B5D0476F,SHA256=4A5F3413782180771C7D21B63D0A5CB9C6890A74E4CEC558883DB6AC07F6A019falsetrue 23542300x80000000000000001314810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:16.548{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC15014931767747B308F82DC3C205C,SHA256=8386809515D5FA0D8F6F6DD9ABBC2175448CDA71ADF65F0DFB1CD7B6382FD3BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:17.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:17.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEBE318926342E7E79A464CD05B96657,SHA256=0BDB9DBA48C7214C99EB4B50D70FED2322545634B27308607F19CBE95B2BFE31falsetrue 11241100x80000000000000004296786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:17.424{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:17.424{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53823E6EF514E8DC504F591DBA148CE9,SHA256=EFB31D8EC54DCBA0D99887E4CF4E03EE8474019A796D994BE7B9149EF77F42E4falsetrue 23542300x80000000000000001314811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:17.579{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED3BE4E97734D7DF2437B2742FFFA39,SHA256=7276BD2F1B453D1387DB53CBF5D3C8C00F5B703825B7FB97751BC68501D5D00D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:18.767{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000004296791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:18.767{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=523216D0114BEE79318C86CC070EB662,SHA256=66BD431166ECB8EC14AE57F864EFD112B0F9C39A854D5B82427C5053EF5A4B81falsetrue 11241100x80000000000000004296790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:18.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:18.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C4FF06B7CB1100D949114F66E22DC8,SHA256=DA74B53D0AB1C628120F8E8AAD5F5482A7CB6BBAB1F6D21B398D3979E8F0787Bfalsetrue 23542300x80000000000000001314815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:18.595{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598385C927C91BE317E4D5F1FA764F2E,SHA256=52C7E9A8D9141B773E6AA050E1E2C866E1FE775591484D6B75A08DB23A9B0B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:12.588{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:18.267{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AB517C8845B1F3D66EBCCF8361428A,SHA256=A92562752A6349E1FCDCCC23ED8FD1177AD13B4982C9297CFB16740A9F74867F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:18.267{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=820F8D73451999B8594C4505C1587BA1,SHA256=E1CD3746B9FD771EFE7C7E0E542A9B15B30D4B1827D49B386D3C849258C8AD39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot\snap.dat2021-09-08 00:31:19.986 23542300x80000000000000004296800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=B92CBA455308D1B027E27FEE77A556DA,SHA256=3BF573898FBA29F001DA99D6BE184592A6F509010BBF557911C19874E41DDB0Dfalsetrue 23542300x80000000000000004296799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=D1FABF0F874838479EB63DD4B493D3C8,SHA256=C10311D5D58046F237BC8B78FA49D51333F0A829DF3239C8D3ADC9D0520B493Dfalsetrue 23542300x80000000000000004296798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=9F66460864900214210E720BC7148FA2,SHA256=D0CD7CA24697A619D591C5994BA6C62EF981511960903E92F798021885126E17falsetrue 11241100x80000000000000004296797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp\btree_records.dat2021-09-08 00:31:19.986 11241100x80000000000000004296796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp\btree_index.dat2021-09-08 00:31:19.986 11241100x80000000000000004296795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.986{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp2021-09-08 00:31:19.986 11241100x80000000000000004296794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65ABD7655CF03FD67A6A1CCDA74270B4,SHA256=254CAEAF6ED7D26F0873581A89127BC2CE62B4A03CD69E7C769B63108115796Dfalsetrue 23542300x80000000000000001314826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:19.610{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1AC223901ACD3D1E47AA42102A71D9,SHA256=46F71D39E5DFFBFA3AC79627536A3B957C44DB6CF50B6F25823267CFBE2B0EFC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001314825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001314824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1681c06c) 13241300x80000000000000001314823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a440-0x74e82920) 13241300x80000000000000001314822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a448-0xd6ac9120) 13241300x80000000000000001314821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a451-0x3870f920) 13241300x80000000000000001314820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001314819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1681c06c) 13241300x80000000000000001314818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a440-0x74e82920) 13241300x80000000000000001314817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a448-0xd6ac9120) 13241300x80000000000000001314816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:19.095{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a451-0x3870f920) 23542300x80000000000000001314851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.657{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F72DBFB129D7B0ADC82C8EFC9BBD7E,SHA256=68A9919042078CAA8F98CB10A2BFCD71E08B31C40A8B40C7D397FCCAE5B6996E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=248A6E66797669AA5D3CB6540CA939CD,SHA256=4449E0AA7232F8EA8AFD039FEDD4EBFA7DC04701B8EA0A816A6E747DE6269258falsetrue 534500x80000000000000004296866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.877{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.877{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004296864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.877{4DF467A6-0458-6138-A7B4-00000000F001}42202256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.861{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.861{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000004296855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.752{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004296824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000004296818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.737{4DF467A6-0458-6138-A7B4-00000000F001}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:20.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5C5F1490211B5DD91C4AE06792ECA1,SHA256=0854E8C49B02A6CEE5EE62EF66FF6FACC54BEA5B9047B376EE204BCED1484F1Ffalsetrue 11241100x80000000000000004296807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7748F1B1438FA2A239AC6495A290303A,SHA256=9EB3C28DB4EC720654D9B1D7F05C0B716873E3D32175CA9B7AFD9CAAECAE50CBfalsetrue 11241100x80000000000000004296805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57782BBDD608FEB49DBA25E2C22A1AA8,SHA256=4B97404B1E9E0920254656983784694DCC25628B0E3E7E3AD427426213AC31EBfalsetrue 11241100x80000000000000004296803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:20.017{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F7BA29833BC5DD3C94E2C8A926BCC61F,SHA256=A767CA28F57222CD9F52A119E6A86FA1BD6F3B987A0BC9679D82459F21FF2820falsetrue 10341000x80000000000000001314850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:20.251{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004296933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.767{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004296932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.767{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7748F1B1438FA2A239AC6495A290303A,SHA256=9EB3C28DB4EC720654D9B1D7F05C0B716873E3D32175CA9B7AFD9CAAECAE50CBfalsetrue 11241100x80000000000000004296931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.705{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.705{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09EEA8CEB00F158D2FAD743AF487F522,SHA256=80EE74A4C85A7A04BA05152DD46BF1D8087003AFC98AF8C51EE4CF7F80CB0286falsetrue 11241100x80000000000000004296929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1630B81430BCB6C0953E768B52D54AB6,SHA256=70C2D7CD307D2E178A3D4A6556624D349D72612B2857555715224B24ED4C1CACfalsetrue 23542300x80000000000000001314852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:21.673{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F732DE5196861AA0EAD7BA5E824A5ED,SHA256=13A576136CFAA3CE296EE34490EFE592CA9F2B3DFC98F75BBA189FBBAAC04E2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004296927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004296926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99105994DBB51FE81A46DC1E5AE053A7,SHA256=EE21D89AE54ECD4CEA7097841AEDDDBEEF0C234BB3F70BC5E49F79BA49F918EBfalsetrue 534500x80000000000000004296925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.533{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.533{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004296923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.533{4DF467A6-0459-6138-A8B4-00000000F001}63286564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.533{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.533{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004296914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.424{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004296878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:21.408{4DF467A6-0459-6138-A8B4-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:21.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000004296869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:08.688{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63742-false10.0.1.12-8000- 23542300x80000000000000001314853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:22.689{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013F72426250C3A9D65E299E674CED46,SHA256=7C5436DAFD3BCE2DE74252EE797E0ECA1AB624183F3D3F4C047F63EF200D578C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8220B2465D1D619A814B10C7D9863BB9,SHA256=358183A38335542AF2C5B8C3A89AD0E8882961111676C88FEA97116351609A87falsetrue 534500x80000000000000004297047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.877{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004297046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.877{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000004297045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.877{4DF467A6-045A-6138-AAB4-00000000F001}41486940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.877{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004297043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.877{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004297042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004297041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004297040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004297039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004297038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004297037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000004297036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004297035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004297034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004297033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.767{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004297032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004297031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004297030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004297029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004297028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004297027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004297026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004297025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004297024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004297023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004297022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004297021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004297020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004297019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004297018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004297017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004297016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004297015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004297014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004297013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004297012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004297011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004297010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004297009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004297008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004297007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004297006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004297005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004297003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004297002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004297001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000004297000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.752{4DF467A6-045A-6138-AAB4-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.752{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004296991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004296990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=00DE099C60BE5DCFB1D04AF92C2C48CD,SHA256=38334822CD5A01D1C96767635386072470A9FC38169435D65714134E8160ED42falsetrue 534500x80000000000000004296989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.205{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.205{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004296987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.205{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004296986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.205{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004296985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004296984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004296983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004296982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004296980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000004296979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004296978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004296977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004296976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.095{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004296975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004296974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004296973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004296972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004296971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004296970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004296969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004296968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004296967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004296966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004296965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004296964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004296963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004296962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004296961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004296960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004296959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004296958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004296957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004296956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004296955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004296954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004296953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004296952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004296951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004296950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004296949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000004296948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000004296947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004296946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004296945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004296944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004296943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000004296942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004296941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004296940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:22.080{4DF467A6-045A-6138-A9B4-00000000F001}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004296939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004296935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004296934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:22.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001314854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:23.704{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68DE0E74C88D2340A51EE4D4AF9A7DA,SHA256=B0F18D80B6E79E13F1939DD5743558A824448E2ED2F1A586E914006AE894F5BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD2E017A0E970A7C9431A363F449B68,SHA256=87C8960DE2C2CB7A1338F1A338E409CF6813B7B59BC453CD534EDE1F56403A11falsetrue 534500x80000000000000004297141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000004297140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-045B-6138-ABB4-00000000F001}54566680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004297138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000004297137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D1C6E9D8A67AF702A14CB514B41004,SHA256=B0207F563684CCDAF936398320541102F361C0045B6591FBBAD25476C9473B9Afalsetrue 11241100x80000000000000004297135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E106C5AFE9E5F15627BBE97C8DDB4BF4,SHA256=D732075CB1F146A6DCE66912174E80BC50EC1EB813AA113E29479FE3371824D7falsetrue 734700x80000000000000004297133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004297132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004297131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004297130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004297129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004297128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000004297127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004297126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004297125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004297124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004297123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.439{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004297122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004297121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004297120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004297119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004297118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004297117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004297116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004297115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004297114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004297113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004297112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004297111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004297110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004297109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004297108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004297107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004297106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004297105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004297104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004297103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004297102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004297101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004297100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004297099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004297098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004297097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004297096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004297095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004297093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004297092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004297091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000004297090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004297089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004297088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.424{4DF467A6-045B-6138-ABB4-00000000F001}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004297087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:23.424{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000004297081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000004297052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.392{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000004297051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:23.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC8867DA4686E91DD754B9AD89D017C4,SHA256=492F90289029B8E9EFD8CE120AE36888E297FB61C34075AEA5984BF85609F6FDfalsetrue 11241100x80000000000000004297263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.970{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000004297262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.970{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000004297261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.892{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004297260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.892{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004297259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.892{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004297258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.892{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004297257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004297256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004297255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004297254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004297253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004297252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000004297251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004297250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004297249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.783{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004297248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004297247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004297246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004297245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004297244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004297243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004297242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004297241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000004297240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004297239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004297238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004297237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004297236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004297235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004297234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004297233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004297232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004297231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004297230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004297229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004297228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000004297227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004297226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004297225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004297224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004297223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004297222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004297221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 23542300x80000000000000001314858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:24.735{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E58857C7ECC550AA514F6AD139A40CE,SHA256=A35FE2F6F07721906836004AEBC267B50C5F28389582862C23F73F031D6BD4A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:18.385{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:24.048{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6272C5BE4CEFA686A11027AA2AE34B9,SHA256=834B158B1A15B523A11B665D9A76F8AFB91318416034B2F7AD8F670B68EBD57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:24.048{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AB517C8845B1F3D66EBCCF8361428A,SHA256=A92562752A6349E1FCDCCC23ED8FD1177AD13B4982C9297CFB16740A9F74867F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000004297220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000004297219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004297217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004297216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004297215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000004297214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004297213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004297212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.768{4DF467A6-045C-6138-ADB4-00000000F001}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004297211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004297205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9058AF5E718BE44BE135C23A5F38973F,SHA256=4FB17E95BF2033EB85EEC556D2958969BC63E9AA497F960F1ECD75FDE5CD3992falsetrue 534500x80000000000000004297203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.220{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004297202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.220{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000004297201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.220{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000004297200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.220{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000004297199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000004297198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000004297197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000004297196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004297195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000004297194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000004297193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000004297192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000004297191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000004297190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.111{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000004297189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000004297188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000004297187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000004297186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000004297185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000004297184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000004297183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000004297182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000004297181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000004297180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000004297179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000004297178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000004297177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000004297176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000004297175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000004297174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000004297173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000004297172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000004297171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000004297170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000004297169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000004297168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000004297167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000004297166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000004297165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000004297164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000004297163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000004297162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000004297161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000004297160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000004297159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000004297158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000004297157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000004297156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000004297155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000004297154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000004297153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000004297152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004297151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000004297150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:24.096{4DF467A6-045C-6138-ACB4-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000004297149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000004297145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000004297144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 00:31:24.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000004297275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B542C30402324A54E23A4867338E40BB,SHA256=04EC9B702F59ADD9143659A63FB4B30DB72E581F5A3890400E59E154B2E2C814falsetrue 11241100x80000000000000004297273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38749CB9B3D345D7BBB1837A5440465F,SHA256=5556082030834BF278B1A05D8FA6F306A3B03FEBDDDEE6ABE332F1584B8CB614falsetrue 23542300x80000000000000001314859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:25.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C16BD11D049AEA72D5713420BA29C48,SHA256=C0170788B684070C85E725E71E88F6ACF19A988E164FC671B9581C12563BA09A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=478FA7230368019BA77258BF4B6AF081,SHA256=15649C621EBDF640ECFA76B194D7C8D834D39C7EC75C02438E39906C720486ACfalsetrue 11241100x80000000000000004297269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E200CF1187DB7282EF0EC2740C7C59B,SHA256=1CDC5CACFE303D4CA32BE6C3CC7FAEA936C3BB45BE8B8D3C43A40E562950361Efalsetrue 11241100x80000000000000004297267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE9612407B348B1D5A62C8AB9BB1AA19,SHA256=FDE9BE7B182A159CA53979F4031E35E02BD0E019B481E7ED43E553AC4D795944falsetrue 11241100x80000000000000004297265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A8EA57E804EF7AC5AD30C888DC2708,SHA256=97DE2359BC1267F3A718EC88495F4D7A566BEB6FA9E04F37DCBE2B1B9E21D73Afalsetrue 11241100x80000000000000004297279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:26.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:26.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EF21D2F39C0119FD4438D5FC14608D,SHA256=0DCB11AF76B539C52502B0AC2059AD43D3043DB33ADF53C005425CC3536CB6C5falsetrue 23542300x80000000000000001314860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:26.801{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE589F398B6B617A265DF9D61B5B16A,SHA256=D4A78579051ADADCDF78A5359E5D8DF672ED44A83F7B4BDCF0686669A9B272A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:26.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:26.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A91626DF416A6F638E8925B71A601AE,SHA256=D83C6300C2C03BB3C9FBA446DDF5460085873C94A42604EA469B3A867DA7EABAfalsetrue 23542300x80000000000000001314861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:27.816{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCDFF28482837F0EF8E2363D81991B8,SHA256=9FA4FA0242CCF65927FF1582F99A87A4A33F4D7E949BA72C44B492A459FB9B10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:27.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:27.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=856F8CEF5EEE619255BB50A702A35FF9,SHA256=2ECA62147F05F94E0D016F47E98D395BB801B27D99620B4B85D4E76564EC257Ffalsetrue 354300x80000000000000004297283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:14.484{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63744-false10.0.1.12-8000- 354300x80000000000000004297282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:14.406{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63743-false10.0.1.12-8089- 11241100x80000000000000004297281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:27.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:27.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E74550B4B3B1AFE8005D13CEB9C98506,SHA256=B6E9DA544005AFFD0A2AC9D833B2F1EA212BF6AE13EF117260097686281D8604falsetrue 23542300x80000000000000001314862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:28.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508CEB1F365D79F29BE929C490D15035,SHA256=204D3D625E7E5595DAECCD1DAC0A074B32F3C4BB3C22BB2D4D7165B9F1E30BB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:28.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:28.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A1ADB9F92AA66D28E21163A830DA5,SHA256=61FBC307819C997F582FF51C851CBA90C028A6A9D4C7FA341BC5E3661B6BA75Efalsetrue 23542300x80000000000000001314879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.879{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F27E7007C77674E457AD67989D36CF,SHA256=B8787A42D5C98BE2B9527410E0DB9D1C0F34E682694584790B840D2AF801891C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:29.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:29.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34097E3D81108366B36183E8FC072E6D,SHA256=6178F45965A45928B8958063AF3CEB968F5A60D2162F6EB977E292B3D1DB5199falsetrue 354300x80000000000000001314878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:23.435{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001314877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0461-6138-D0B0-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-0461-6138-D0B0-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.660{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0461-6138-D0B0-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.645{AEE49BD1-0461-6138-D0B0-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.113{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E7002D7A0A3A4CC8E64FE41011333F,SHA256=632CED625B9E6AB80433B1C18E43BE4536C98802215BDCD8A8C55DDC84BCD66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.113{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6272C5BE4CEFA686A11027AA2AE34B9,SHA256=834B158B1A15B523A11B665D9A76F8AFB91318416034B2F7AD8F670B68EBD57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0462-6138-D2B0-00000000F101}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-0462-6138-D2B0-00000000F101}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.972{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0462-6138-D2B0-00000000F101}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.958{AEE49BD1-0462-6138-D2B0-00000000F101}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.910{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8E456B0FAC7B2B6AE5D136E0860E49,SHA256=12E4C52A7E4C524311BAD77BC6627A5E863E11BD2A96800C2873295D21EDCB69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:30.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:30.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=774D4771B3A3559A52AFCBA08B86DA93,SHA256=8250F9F63B0C65C9C82AAE7A6C455A093C2EE1F53BC5D3D34A66EC1CFA7EA43Ffalsetrue 11241100x80000000000000004297291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:30.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:30.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC997736A0C4839A94FAD849740B6B43,SHA256=3D55D91C8FD83E7DD01488542714CF2C6B4735DE0DD71DF2DB33D6BCD3AF1645falsetrue 23542300x80000000000000001314894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.660{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E7002D7A0A3A4CC8E64FE41011333F,SHA256=632CED625B9E6AB80433B1C18E43BE4536C98802215BDCD8A8C55DDC84BCD66A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.457{AEE49BD1-0462-6138-D1B0-00000000F101}21565892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0462-6138-D1B0-00000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-0462-6138-D1B0-00000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.347{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0462-6138-D1B0-00000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:30.332{AEE49BD1-0462-6138-D1B0-00000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:31.957{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7CE5FA59B410D9B2EA22760950E3A59,SHA256=6FC3709F914885B4F75A1632D1F863E81F440381CF7947394CF333A069FE6837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:31.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE0F06AAFFEBA8D62BA3A4FCBF91D42,SHA256=78BE2ECC4FF1B9B3354D0758810C7FC54110BFC98641E1E880751FAC70915208,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC858513062677501E4C542E46E6A2D1,SHA256=41BC50D655EE89495F01F3D06428D323308AD3519C7BB5E58EDC2BC5CA24BCD8falsetrue 11241100x80000000000000004297300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85CA96C3070CE892D52DD32794F6584,SHA256=4E2EDFE9E76C14436888BDA3D926BBD9BCC00298A4FBA3D0F83B0E2981912383falsetrue 354300x80000000000000004297298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:19.643{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63745-false10.0.1.12-8000- 11241100x80000000000000004297297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8F793903D7941EB4D8BFC7C2F65C07,SHA256=51A6C057068D332F5127F351E90A0A358E12EA389F4492CC769D56E10A796B26falsetrue 11241100x80000000000000004297295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=548C1815A1B6B478F227206490324494,SHA256=57B21290EB1AE40E7DE6DD4D698384E189F19F0F525C7CD048F530905D1DB19Ffalsetrue 23542300x80000000000000001314911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:32.941{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DE9E8FCFF7B14B2A424F5AC3704104,SHA256=B1A47C87B46288B9CC92C7E4B2655C32B4B8CF4C8DD0F407F40A09E431EDDA33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:32.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:32.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14375245716A0575C4E95F590E55365C,SHA256=4103E1F50F4B5F8F725094FF077D9D14AAB2BF3E7A5CDAABD794C61D9E5242DDfalsetrue 11241100x80000000000000004297304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:32.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:32.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8704D38229CC52AAB4BE0E38B1D72D67,SHA256=C183C4BC0CEB72E7A0680D46C91EB4D4E26EE892B5B775E7C97F82157F7D4857falsetrue 23542300x80000000000000001314912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:33.957{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B246B1454AC6A73B4CF4AF61FA28D5D,SHA256=4E24D444D266BEDAE9A72A1E82B3D0E2A0206BB7E5A4749CBFFFAAC83306E322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:33.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:33.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9315A9878156E3965DE6DE6B2E5249C,SHA256=980A549CC7F31B6D64105DFB01275C7D589D4B443969889124606F803A404B28falsetrue 23542300x80000000000000001314913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:34.988{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A380E8FBF2562A415A2F5B2FC697EBA1,SHA256=C43EA6404CC7073D120C7B2B40C7A3D61A5A10713B09D707E54C725D250B96DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:34.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:34.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3018165740C5D53AFDD53F18054891,SHA256=34CD9DAD8F0E98BAABB595CE165B4BD88022B1FFC339F8D83E382ECA003BA1E7falsetrue 11241100x80000000000000004297314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:35.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:35.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CE64B9EE17C7BF47A1B3E15E5C9A13,SHA256=99BE4D0F541A5BF2C5114DEEB65D33A76DE3121B7A3F644CE0BE997719934623falsetrue 23542300x80000000000000001314914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:35.082{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6D2345FB6C022C077C40EBF7C00DED,SHA256=A3CEB9522DB6E26D2805FD3930F09366C70800ADEB7C32CDAA4B8C394E441828,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:35.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:35.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E431EBFB2B801B524246BC55F2280547,SHA256=8AA5EEEAF2B8D35849AC632E0E2B7503CED60A7F3F84AC336AEFB45B76E5743Bfalsetrue 11241100x80000000000000004297320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20FD81C993B4299739A1F09838107106,SHA256=405B8AEB7B62935CA868F76F79006CCB24044D7A434E71A109C93A32EBA64F30falsetrue 11241100x80000000000000004297318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452EF71D86E0088CE1DACC2B024C3DEB,SHA256=6B5636FA27E12B308F2FB1ED4BB1B561ED415686FECC0AF8CDF55FC70DA4E09Dfalsetrue 23542300x80000000000000001314916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:36.004{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39709D25359B2376D23351A6E64800DE,SHA256=8744A34B7F2F864022D9054F7EB7462A3AE66A9F789E75CF8DFDB2FCB55CA286,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001314915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:29.403{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000004297316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9916FE73AEE95713FC9D4BCEE0B7CCB4,SHA256=0B562F9354576A4E21A763146BE65DE199D688063C6D1DA4E3B47A64D4209315falsetrue 11241100x80000000000000004297329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AD3CC82BB1967E0397234A18648E34C,SHA256=244A29F1A4F21C57C3153BB74AF6B3F7351CCF92765251E93DDE14414B10F70Afalsetrue 11241100x80000000000000004297327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F892B749083F8C6B527F4ED9EB51D8,SHA256=E60CF40EE22060C9C998BC5D323CB7F156373B35AA7732F5EEB3F9C0C3925999falsetrue 23542300x80000000000000001314917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:37.019{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1507B91F77AB04FC7C29C6C7EEFF9445,SHA256=557F36D81BE0B9D0153E62BC022AED129ADC5317122D834A1A8F7F1A196F900D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004297325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:25.674{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63746-false10.0.1.12-8000- 11241100x80000000000000004297324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9EEE54B00793F594FD10096794CEF77,SHA256=4F70373BF722913437AF8C6F251D6F5DE4D3DB04124689E4D6B25FC960ECAECAfalsetrue 11241100x80000000000000004297322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:37.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10BB1796B615B2E35065B86D937385EE,SHA256=E092E0E925D85379ABD98EA7E9BF0CCED0D3337C78C44799F37E03E7A1F03D27falsetrue 11241100x80000000000000004297331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:38.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:38.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E02731192F6F73C1434970C895CA30C,SHA256=EA27CDF467F73D510E4FCC706B3AD5936AF0A9232DE260CFAA4C2E15712DDE3Cfalsetrue 23542300x80000000000000001314918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:38.035{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB412D15298CF2A1224C8F8822B6AFCD,SHA256=2A086FC628FE524A1C4EC57FA56D12665D7129E18739A48DB33D061453411C0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:39.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:39.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369BCFAE58AA46B5EFE414F5AFCBC475,SHA256=4F60F55F28BE51FE4127593149368BA6CBD33C6CF65E4E5633060016EAADF044falsetrue 13241300x80000000000000001314920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 00:31:39.644{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a448-0xe3c1c6c7) 23542300x80000000000000001314919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:39.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA471B2D7A52D66616042F945E64A8B,SHA256=26299E80CE41F43643376961ECF106AB665D01AD181BDCC381AA4D9FF8B530FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D9FFFF9D7A479AA39A9E8218046453,SHA256=1D78BC6A103F6E60B22498D0527670D15160125615FADDC536C822B3DB3B3A88falsetrue 23542300x80000000000000001314923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:40.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA64ACB26DB15E2DC90B5A4D7D63DE3,SHA256=D3F73DD7F3063D39EC578AC871A76E3367CD02B46EA5DC5819FCDC224579D1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:40.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7876FD9CC1A51F854B7796C6B8DAED9,SHA256=BDEBFCFE35A7752940BD2F2ECBA4EBDAA30A2A43BF4E9E7959BBB66713272E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:40.097{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149298653180E68331D21DAE025F0DF,SHA256=0252F62DC705D0A60A65751906870F443324F2CE34D9092A51ED0AE3072463B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9EEE54B00793F594FD10096794CEF77,SHA256=4F70373BF722913437AF8C6F251D6F5DE4D3DB04124689E4D6B25FC960ECAECAfalsetrue 11241100x80000000000000004297335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:40.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D28283404EF15B131C7CF97F6F88310F,SHA256=6E5B6DDE60A5810886AE6C92F7BC026CC655E6CA657E5BEDE05E5687FB396CDEfalsetrue 11241100x80000000000000004297346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73E7484C2F53750D8326D3620033B5AB,SHA256=26B8F1AE6184AF271F1532FB430F631D77E28E740658BB001B5BFC2C059CE9B1falsetrue 354300x80000000000000004297344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:29.064{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 11241100x80000000000000004297343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B97B335104EF86D063301EF175C33BB,SHA256=742EF183BF73A9E9598288E72777D856520EF7FD38A167D8D4866C9086B13F89falsetrue 354300x80000000000000001314926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:34.981{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 354300x80000000000000001314925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:34.544{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001314924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:41.113{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406296BBA04A3F0F181A5870A5803A97,SHA256=60982D1D1C7B012E3F08AF4FA88AF8D3D5D83052215A6B7E5E2A7EC86DD98338,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B53D313D439795DC1F5399D814327305,SHA256=4C7B07EDA9954D075FAC093F4E6990347218099E563D2D8F3A39FA64139657E4falsetrue 11241100x80000000000000004297352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7403A76A1BBFE96739302618B7C211E,SHA256=3D8E2D9E1A9A304340454BDF03C63833C3A2EB9313ED30DA2EA0B19FCF45D6ABfalsetrue 11241100x80000000000000004297350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0703AE9CC438F53362FD609C75755AF0,SHA256=B431BB4E862CAF430C62C83CA8A0C7A03A0F2A4CBDCF650C64C1B7ED4A6C41CBfalsetrue 11241100x80000000000000004297348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.035{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.035{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A674A574BC83B9EA1275D310931C8C49,SHA256=267C54D66FB36641B9DF409C86005E275B69695A073A6830B4C82837E4A553F7falsetrue 23542300x80000000000000001314927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:42.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323F4C69A0A14BEAA5F6C7DF7BF0C238,SHA256=A2024625A9535284C97608FFE03173AD86012B8456ECEF53866E808CFEA91FC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:43.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:43.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E1E062DFFF8B4D932C0989A16332B5,SHA256=692B6943B31319B516E2C7400779C46C45CD9904DF401EA153E93057BABD96FFfalsetrue 354300x80000000000000004297356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:31.440{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63747-false10.0.1.12-8000- 23542300x80000000000000004297355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:43.073{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-6145MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000004297354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:43.069{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-61452021-09-08 00:31:43.069 11241100x80000000000000004297353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:43.069{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-61462021-09-08 00:31:43.069 23542300x80000000000000001314928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:43.160{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D5C9F69F517D559F93DF3BA6817593,SHA256=1EA5FA8553674ED5B1A6F3F0365A177C494DD9572FAC468B9099225F8B1BD379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000004297359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:44.081{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-6146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001314929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:44.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCCA966C7349407489AA675E1EFC0AF,SHA256=F6C05A0A79AC90694F79E859BE3D86AF470AFC0B501EA54E28244471F3BD1B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0471-6138-D4B0-00000000F101}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-0471-6138-D4B0-00000000F101}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.910{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0471-6138-D4B0-00000000F101}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.895{AEE49BD1-0471-6138-D4B0-00000000F101}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001314946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.332{AEE49BD1-0471-6138-D3B0-00000000F101}32964324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC02FE4BE64D3E31B7B2C55AC11E372A,SHA256=0C13EA491799E2A82DA483D473E3DBA9495CB1A7DE2B0E8328ADB0064CD7E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA64ACB26DB15E2DC90B5A4D7D63DE3,SHA256=D3F73DD7F3063D39EC578AC871A76E3367CD02B46EA5DC5819FCDC224579D1ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0471-6138-D3B0-00000000F101}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-0471-6138-D3B0-00000000F101}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.222{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0471-6138-D3B0-00000000F101}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.207{AEE49BD1-0471-6138-D3B0-00000000F101}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001314930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B22C45172A7AFF3AF975822127A0B4,SHA256=1EE119C1A14EC047788D6245727835B51C8A75FAA9333F2963DF8B3678849917,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:45.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:45.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F28129C4EC3893E64D4ADACF662878BF,SHA256=FEEDA78BA0265C6DE6097B40F758B328228ACE105CA43F30FA3468604832923Afalsetrue 11241100x80000000000000004297361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:45.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:45.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4AE427D8A18309191DE135EF2594EF,SHA256=99CC1A6FE8E0C180351A940EBF1D86DC07246923C8A21BFBD603D8BC109F163Dfalsetrue 10341000x80000000000000001314977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.721{AEE49BD1-0472-6138-D5B0-00000000F101}44605164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA4039DAA670E4653F093E5A2A5B6C,SHA256=6DA82912AF6CB011FEF7BC8C902C7337A5AB793FB404A1C60781EF4111F3C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC02FE4BE64D3E31B7B2C55AC11E372A,SHA256=0C13EA491799E2A82DA483D473E3DBA9495CB1A7DE2B0E8328ADB0064CD7E39B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001314974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0472-6138-D5B0-00000000F101}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-0472-6138-D5B0-00000000F101}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.596{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0472-6138-D5B0-00000000F101}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.581{AEE49BD1-0472-6138-D5B0-00000000F101}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001314961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:39.591{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000004297379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:46.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:46.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10061584EF6ADFC8529F78E2BDF52FF9,SHA256=56DC6B9A022D574B62F3E7DFF49834C62818802A9042D06F9B9D78BC189CDECDfalsetrue 11241100x80000000000000004297377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:46.066{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:46.066{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694CCFBA2C3CE7DFFEC29992246BD59E,SHA256=FE17DD4D29AFB2F72D490B3CC27D1DDB9823BCAC9BB6C5E7804C2F01283C2D4Dfalsetrue 13241300x80000000000000004297375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000004297374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x168a2cdb) 12241200x80000000000000004297373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000004297372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a440-0x84fd6f04) 13241300x80000000000000004297371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a448-0xe6c1d704) 13241300x80000000000000004297370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a451-0x48863f04) 13241300x80000000000000004297369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000004297368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x168a2cdb) 12241200x80000000000000004297367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000004297366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a440-0x84fd6f04) 13241300x80000000000000004297365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a448-0xe6c1d704) 13241300x80000000000000004297364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 00:31:46.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a451-0x48863f04) 10341000x80000000000000001314960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:46.018{AEE49BD1-0471-6138-D4B0-00000000F101}4276996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001314979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:47.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7244FD1A2FBD2CC5407CAFCAA1EAB5B,SHA256=133F8D2DD42B6E7A8FCA5C731F1DD3F124D30F78DC1C85313C70B0AD32FEA6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:47.456{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A96C3733642E59E1ECCE0FAF4D1C3DB,SHA256=C5E763BBF0D6EE1DEE25DFA9A1D4F576F00CC854408EC3F9F50D26866E9F16FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ACCA3CC36EAD0F36A15C32320BE04A77,SHA256=745C0AB820730F394A79DE01FCF07AC5E580A41743DB35DD92774C14DE1CCB02falsetrue 11241100x80000000000000004297387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D4A1A5768BF8552894EF8395B6E89C0,SHA256=0CB41F6B2613AA447C2DE04F2BF04232A59767DD9BBDFC99935C3DA9276F24FEfalsetrue 11241100x80000000000000004297385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5932DADAB36F7DC2F42E6AFC3D3A10E,SHA256=35AB6E76A987890B929C3AC11AC79AE567E9B39CF87548673D55E43111E7987Bfalsetrue 11241100x80000000000000004297383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D663A75A50395322268079C80025537F,SHA256=C2FFC71C316E84175231FED463905C4B8323C37142D4A07EA628FF28813EE95Dfalsetrue 11241100x80000000000000004297381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291A79CF611DE12A5A51392523BA35CE,SHA256=241FC03C858EB8472DA5B3DDBA569AE836CA39769C5FBBE00B88D8A96865F8C7falsetrue 354300x80000000000000004297398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:36.563{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63748-false10.0.1.12-8000- 23542300x80000000000000004297397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.628{4DF467A6-446E-6132-2306-00000000F001}6656ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6656.xml~RF168a36dd.TMPMD5=1938CCEDB6D1C2D71B9FBD689A410B29,SHA256=ACFDC23867C0E7455FC34BEE9076161330046A77422999E289353D7001AD41C2falsetrue 11241100x80000000000000004297396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.628{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6656.xml~RF168a36dd.TMP2021-09-08 00:31:48.628 254200x80000000000000004297395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.628{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\tyefk1vc.tmp2021-09-03 15:53:11.9822021-09-08 00:31:48.628 11241100x80000000000000004297394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.628{4DF467A6-446E-6132-2306-00000000F001}6656C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\tyefk1vc.tmp2021-09-08 00:31:48.628 11241100x80000000000000004297393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9616C16A1B7397D81763973A2D80E396,SHA256=56AF49144E6CDA242BADABF7F4DA06B82EDA5414591F6834F1383F8478F751B8falsetrue 23542300x80000000000000001314980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:48.471{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FD73CE9071ABFA255314DD623BA6EA,SHA256=FAA51CA9E1B14FCE219B7BA3BBAB2F38328E5EA40BA222D768F9CFE091AE86B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:48.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5932DADAB36F7DC2F42E6AFC3D3A10E,SHA256=35AB6E76A987890B929C3AC11AC79AE567E9B39CF87548673D55E43111E7987Bfalsetrue 11241100x80000000000000004297400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:49.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:49.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E902DF4015066E07003FA87B4403CFFC,SHA256=A69435852E322D1813E1B00930A7AA0BF0F6819036931BA8D1683BDAADB0B304falsetrue 23542300x80000000000000001314981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:49.487{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7979E787F764C6BEA10BD0E66886A65B,SHA256=62249CB3E6282311C2AC4FB2F2D6D9F467341BBAB7868027DC1B4DE6CC2BF6D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:50.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:50.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB1719EBE17C586D960BE0F05C7FDA0A,SHA256=EB972D7380177929F00217EFB58EDDBDBC8DBBA62954167EE46ADEE4BB53793Ffalsetrue 11241100x80000000000000004297402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:50.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:50.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4D4639C4421424FBD2B2F62CA4DA36,SHA256=63423AFB580E7FA813DE7996FAD5CEB93982A98C38654F2C700E0E00B8E98502falsetrue 23542300x80000000000000001314983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:50.627{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001314982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:50.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC046CCAF50A99CB0BA2783F59237D8E,SHA256=57CB34E14E3C22B5778AE634516CDE717A77BF8B4BE996C9DDA84E68D961EBDE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:51.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:51.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD70D314AA975242352A541A5BB93E9,SHA256=CE77614D8B3FF50EB42B3507B13562C8A01FF9C370CEA7AD483FC9C29CBE7E34falsetrue 23542300x80000000000000001314985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:51.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B552D441A136F9B6831AF9118A43C496,SHA256=D1A0C353FF060110916D22F31621B248281499FC6837F6665641210E7DC84D01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:51.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:51.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FCC32163E723951826CB3C887721421F,SHA256=BB74662B8E53208E58247A4EAABF56D44359427393C3DB20476D0BE1C4BEAD6Dfalsetrue 23542300x80000000000000001314984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:51.268{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B049D094E7CB6411FA722D37CFE062,SHA256=A3AB2728C36EA26EC61E8EE30DF45FB83C5D76B65547312F63991F29CAA7FE1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A078C999AFA6623976D5FF861327D3A8,SHA256=CC15D728CBFC67A3BECD27AA4B63EC8D296F84597ABD10206825538344DA9A2Bfalsetrue 11241100x80000000000000004297412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3238B1788C5144D584BF40EA82C567AB,SHA256=EB7D12C0EF426CDDCFEF8EA5D82FC2BCA6256CC3108C7B0E4583FCD22684EB00falsetrue 23542300x80000000000000001314988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:52.534{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A791AB8D584398EEA249476147E24D3A,SHA256=4C15C59AFA460E53A023AC4E2CA63109B9BC70D532E870814C12464BA77BDA7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=746B7C0BD726B9A265A29C183F2AECBB,SHA256=6768D3D16C96630BDCF66622E5DC75403F2620153FB187AF2EBAB1180AAE8931falsetrue 354300x80000000000000001314987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.965{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001314986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:45.465{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000004297416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:53.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:53.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89258D12C244131F124E8DB12FC7A83B,SHA256=84CFD52B2D7AEFF90C6DCD8B15BE2A6652E74DCB14653632674DE2E14203754Efalsetrue 23542300x80000000000000001315002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.549{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A7674332D833A673C4DA8F2C2945B8,SHA256=7FDDF1C37F3F61F3ABB01FD8E7B982543BFCE02057C5096F5375365A56EAC087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001315001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-0478-6138-D6B0-00000000F101}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001315000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-415A-6132-0C00-00000000F101}7244176C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-0478-6138-D6B0-00000000F101}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001314990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:53.002{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-0478-6138-D6B0-00000000F101}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001314989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:52.987{AEE49BD1-0478-6138-D6B0-00000000F101}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004297422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7211909659028DBD75A446A26EE8F67,SHA256=4503746CD7356E30C08E3ED9BF66961CFB8531CCBA8955241B74989F59E75A4Ffalsetrue 23542300x80000000000000001315004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:54.565{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C8BC427571FA9A59A347C81BC4A616,SHA256=ABE6AE6673CF6741FF3E1AA65EBCDD5C0C0418291A5466AFF76F315636A51A85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5930A921B686C8C9226BF6164DD274E3,SHA256=5BF32AB635DECA5124E92947E4B9DEA1291E2E0E4BF0CC20C89FB885E599075Cfalsetrue 11241100x80000000000000004297418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:54.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5DEA43488A125A26B0F24A806087E78,SHA256=B98BC93E4CAEC1B64DF5375C4529F011ADD014C6EEB2D95A9B913E0FBBB1D733falsetrue 23542300x80000000000000001315003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:54.049{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02245ED2A0E13C494C7DAC836684036D,SHA256=E297BE48CBF33F82804203992CD9D45C0FB07563309E2E60548E55A97D7FAFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001315005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:55.581{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954F40835F2D3E9B4ED9AB7CD1C5AB63,SHA256=94B67758EAD5A84678F68BCE656CD1AF026EB25E11D6CC981F5A140030FB4CCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:55.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:55.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B399532D78336F1989B56F05666D687,SHA256=297714C7B913BB004215A0D41D0B848308D89AD7320A00229BCB3B042DEB3822falsetrue 354300x80000000000000004297423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:42.548{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63749-false10.0.1.12-8000- 23542300x80000000000000001315007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:56.721{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=043BDAFD1172E8384D54616CA005868F,SHA256=71A24FD86FB08ABCABDDC377485F3619DCA40008EE27D800FED3DC84DFB26506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001315006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:56.596{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9206DC3E1AB7F5D874691E2A5AA751BF,SHA256=96F544EF90940FF141BA18251725185A3DB5661DC04F090959660DEAB78EEC20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4999FCC945D2CCB4EB2199853C737A19,SHA256=C1112E8265B1127369A7088F690AD90C5F0C0448AD939FD78A15651EAF0F5074falsetrue 11241100x80000000000000004297427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:56.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:56.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2C39F47E7E8F0EF6BCEE9A16ED0EBE,SHA256=F272ED0033EB23CE928C363FD5A9AFF0860AC0352DE3F3427C23044F44D2B721falsetrue 354300x80000000000000001315010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:51.433{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local59619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001315009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:57.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF736F5E8ABB3979FB0FD9CC5B8B242D,SHA256=AEC59EF0E1683E9DF9F165404531FD8292B663FF702FB8CF8F469B1448F1A37E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D896BE968F173F603395DB94685DB42A,SHA256=DF86777F128785AF75C268CFF76A8A2148848DD166372EADBD486BCA8FF9AF86falsetrue 11241100x80000000000000004297433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63752EC083C48092C0C701FD7106F788,SHA256=F3F4B01E7F591FB0C16E066EE1ABCCB297606C57F4DA38E0D771C8CAB005CF03falsetrue 11241100x80000000000000004297431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:57.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20F4692A54AE3E16CB64C58DF515ED9,SHA256=C8B1D424C8B66732C91B9B666822E1461F556568F494C3B54220D6B23C521B0Ffalsetrue 23542300x80000000000000001315008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:57.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCA7921B9ACDE613EE164FF206840B8,SHA256=8A847B9E5D7EE231AFD6E46D5690D08BAE6C0BD7A3EBFBD6BAC764B9CC33C6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001315011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:58.627{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59624F3D5A196CFD83B4951D3D17010,SHA256=D6C69B4019D11BBB15182025D70035C02486AD25CE0C36A469368B1E9FB492D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000004297439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:58.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:58.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EBA8C2648CCF0C286A202A9D0705DE,SHA256=8721B63EF66AE33E17087BF0C6261C2A512B33EBFEE54BCB48565ABF206C19E2falsetrue 12241200x80000000000000004297437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:31:58.081{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000004297436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 00:31:58.081{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000004297445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:59.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:59.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90618824FAC608538735D9AE139869D,SHA256=95457D66AFB59D2B570728B99E2D547A14D43C6D4FF2B5EDBD71971EAB5AB5C6falsetrue 23542300x80000000000000001315012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:31:59.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EE143CD97FB94664034619A6DEA510,SHA256=4BAB58C09FEB639792955E9C3E8B93E9A6F06857B9A978B86818488583F1BF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004297443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.516{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63750-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000004297442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.516{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63750-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000004297441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:59.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000004297440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:59.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5930A921B686C8C9226BF6164DD274E3,SHA256=5BF32AB635DECA5124E92947E4B9DEA1291E2E0E4BF0CC20C89FB885E599075Cfalsetrue 11241100x80000000000000004297450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:32:00.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000004297449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:32:00.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=351767002742D9253E58E399F6FEAEFB,SHA256=0F89BB1C4E6DC748CA5557BC8DC309E6785F0D98EDABFC85C34BD1E7615BC29Afalsetrue 11241100x80000000000000004297448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:32:00.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000004297447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:32:00.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4301B93138C8AEEB5DD01B4EB5592155,SHA256=9061C24452FD13C9DFEF5A4479CA8DB99353F0971ADE1B7C9BB2ED87A165DA92falsetrue 23542300x80000000000000001315013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 00:32:00.659{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C9983AE038100DA36791ED3285F8B4,SHA256=6887C5A96BB7168BCD6A628E5F77C6027E7A4BCBE3406937950B5BB7A0D21591,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000004297446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 00:31:47.563{4DF467A6-D939-6137-81AF-00000000F001}